HOMEVULNERABILITIESCVE-2026-52945
HIGH

CVE-2026-52945

Published: June 24, 2026· Updated: Jul 1, 2026

7.5
CVSS v3.1
EPSS:0.10%probability of exploitation in 30 daysPercentile:1.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

Revert "wireguard: device: enable threaded NAPI"

This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is

commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream.

We have had three independent production user reports in combination

with Cilium utilizing WireGuard as encryption underneath that k8s Pod

E/W traffic to certain peer nodes fully stalled. The situation appears

as follows:

- Occurs very rarely but at random times under heavy networking load.

- Once the issue triggers the decryption side stops working completely

for that WireGuard peer, other peers keep working fine. The stall

happens also for newly initiated connections towards that particular

WireGuard peer.

- Only the decryption side is affected, never the encryption side.

- Once it triggers, it never recovers and remains in this state,

the CPU/mem on that node looks normal, no leak, busy loop or crash.

- bpftrace on the affected system shows that wg_prev_queue_enqueue

fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's

rx_queue is reached.

- Also, bpftrace shows that wg_packet_rx_poll for that peer is never

called again after reaching this state for that peer. For other

peers wg_packet_rx_poll does get called normally.

- Commit db9ae3b ("wireguard: device: enable threaded NAPI")

switched WireGuard to threaded NAPI by default. The default has

not been changed for triggering the issue, neither did CPU

hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always

return valid online CPU in wg_cpumask_choose_online()")).

- The issue has been observed with stable kernels of v5.15 as well as

v6.1. It was reported to us that v5.10 stable is working fine, and

no report on v6.6 stable either (somewhat related discussion in [0]

though).

- In the WireGuard driver the only material difference between v5.10

stable and v5.15 stable is the switch to threaded NAPI by default.

[0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/

Breakdown of the problem:

1) skbs arriving for decryption are enqueued to the peer->rx_queue in

wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer.

2) The latter only moves the skb into the MPSC peer queue if it does

not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an

atomic counter via wg_prev_queue_enqueue.

3) In case enqueueing was successful, the skb is also queued up

in the device queue, round-robin picks a next online CPU, and

schedules the decryption worker.

4) The wg_packet_decrypt_worker, once scheduled, picks these up

from the queue, decrypts the packets and once done calls into

wg_queue_enqueue_per_peer_rx.

5) The latter updates the state to PACKET_STATE_CRYPTED on success

and calls napi_schedule on the per peer->napi instance.

6) NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks

on the peer->rx_queue. It will wg_prev_queue_dequeue if the

queue->peeked skb was not cached yet, or just return the latter

otherwise. (wg_prev_queue_drop_peeked later clears the cache.)

7) From an ordering perspective, the peer->rx_queue has skbs in order

while the device queue with the per-CPU worker threads from a

global ordering PoV can finish the decryption and signal the skb

PACKET_STATE_CRYPTED out of order.

8) A situation can be observed that the first packet coming in will

be stuck waiting for the decryption worker to be scheduled for

a longer time when the system is under pressure.

9) While this is the case, the other CPUs in the meantime finish

decryption and call into napi_schedule.

10) Now in wg_packet_rx_poll it picks up the first in-order skb

from the peer->rx_queue and sees that its state is still

PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits e

---truncated---

NVD Source

Technical Analysis

CVE-2026-52945 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-52945
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.10%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-52945 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.