CVE-2026-31579

Summary

In the Linux kernel, the following vulnerability has been resolved:

wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit

wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock.

Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window.

The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net()

  • which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence.

[ Jason: added __net_exit and __read_mostly annotations that were missing. ]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux900575aa33a3eaaef802b31de187a85c4a4b4bd0 < 9a9e69155b2091b8297afaf1533b8d68a3096841affected
LinuxLinux900575aa33a3eaaef802b31de187a85c4a4b4bd0 < 1c52ef00e391144334f10995985c2f256d4be982affected
LinuxLinux900575aa33a3eaaef802b31de187a85c4a4b4bd0 < a1d0f6cbb962af29586e3e65a4bced1a5e39221faffected
LinuxLinux900575aa33a3eaaef802b31de187a85c4a4b4bd0 < 60a25ef8dacb3566b1a8c4de00572a498e2a3bf9affected
LinuxLinux363cc6efdbb54bb06cd5034a69b41aae974a736faffected
LinuxLinux5.7.7 < 5.8affected
LinuxLinux5.8affected
LinuxLinux0 < 5.8unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References