CVE-2026-52945

HIGHPre-NVD 7.57.5
EchelonGraph scoreHIGH confidence

Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-06-24. a secondary CVSS source baseline 7.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 3 sources updated this week
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

Revert "wireguard: device: enable threaded NAPI"

This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream.

We have had three independent production user reports in combination with Cilium utilizing WireGuard as encryption underneath that k8s Pod E/W traffic to certain peer nodes fully stalled. The situation appears as follows:

  • Occurs very rarely but at random times under heavy networking load.
  • Once the issue triggers the decryption side stops working completely
for that WireGuard peer, other peers keep working fine. The stall happens also for newly initiated connections towards that particular WireGuard peer.
  • Only the decryption side is affected, never the encryption side.
  • Once it triggers, it never recovers and remains in this state,
the CPU/mem on that node looks normal, no leak, busy loop or crash.
  • bpftrace on the affected system shows that wg_prev_queue_enqueue
fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's rx_queue is reached.
  • Also, bpftrace shows that wg_packet_rx_poll for that peer is never
called again after reaching this state for that peer. For other peers wg_packet_rx_poll does get called normally.
  • Commit db9ae3b ("wireguard: device: enable threaded NAPI")
switched WireGuard to threaded NAPI by default. The default has not been changed for triggering the issue, neither did CPU hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always return valid online CPU in wg_cpumask_choose_online()")).
  • The issue has been observed with stable kernels of v5.15 as well as
v6.1. It was reported to us that v5.10 stable is working fine, and no report on v6.6 stable either (somewhat related discussion in [0] though).
  • In the WireGuard driver the only material difference between v5.10
stable and v5.15 stable is the switch to threaded NAPI by default.

[0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/

Breakdown of the problem:

1) skbs arriving for decryption are enqueued to the peer->rx_queue in wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer. 2) The latter only moves the skb into the MPSC peer queue if it does not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an atomic counter via wg_prev_queue_enqueue. 3) In case enqueueing was successful, the skb is also queued up in the device queue, round-robin picks a next online CPU, and schedules the decryption worker. 4) The wg_packet_decrypt_worker, once scheduled, picks these up from the queue, decrypts the packets and once done calls into wg_queue_enqueue_per_peer_rx. 5) The latter updates the state to PACKET_STATE_CRYPTED on success and calls napi_schedule on the per peer->napi instance. 6) NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks on the peer->rx_queue. It will wg_prev_queue_dequeue if the queue->peeked skb was not cached yet, or just return the latter otherwise. (wg_prev_queue_drop_peeked later clears the cache.) 7) From an ordering perspective, the peer->rx_queue has skbs in order while the device queue with the per-CPU worker threads from a global ordering PoV can finish the decryption and signal the skb PACKET_STATE_CRYPTED out of order. 8) A situation can be observed that the first packet coming in will be stuck waiting for the decryption worker to be scheduled for a longer time when the system is under pressure. 9) While this is the case, the other CPUs in the meantime finish decryption and call into napi_schedule. 10) Now in wg_packet_rx_poll it picks up the first in-order skb from the peer->rx_queue and sees that its state is still PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits e ---truncated---

CVSS v3
7.5
EG Score
7.5(high)
EPSS
22.5%
KEV
Not listed

Published

June 24, 2026

Last Modified

July 2, 2026

Advisory Details (1)

Auto-updated Jun 28, 2026
No patch confirmed yet.
generic

Revert "wireguard: device: enable threaded NAPI" - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/e94b369ff82f9bc84f090f271bd78f41c9f6ab2f

Vendor Advisories for CVE-2026-52945(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 36× in last 7d / 48× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 03:18 UTCEG score recompute
  2. 2026-07-07 03:18 UTCGHSA enrichment
  3. 2026-07-06 16:27 UTCEPSS rescore
  4. 2026-07-06 16:27 UTCEPSS rescore
  5. 2026-07-06 15:29 UTCEG score recompute
  6. 2026-07-06 15:29 UTCGHSA enrichment
  7. 2026-07-06 03:37 UTCEG score recompute
  8. 2026-07-06 03:37 UTCGHSA enrichment
  9. 2026-07-06 02:23 UTCEPSS rescore
  10. 2026-07-06 02:23 UTCEPSS rescore
  11. 2026-07-05 15:48 UTCEG score recompute
  12. 2026-07-05 15:48 UTCGHSA enrichment
  13. 2026-07-05 03:58 UTCEG score recompute
  14. 2026-07-05 03:58 UTCGHSA enrichment
  15. 2026-07-05 02:30 UTCEPSS rescore
  16. 2026-07-04 16:03 UTCEG score recompute
  17. 2026-07-04 16:03 UTCGHSA enrichment
  18. 2026-07-04 06:31 UTCEPSS rescore
  19. 2026-07-04 04:11 UTCEG score recompute
  20. 2026-07-04 04:11 UTCGHSA enrichment
  21. 2026-07-03 16:16 UTCEG score recompute
  22. 2026-07-03 16:16 UTCGHSA enrichment
  23. 2026-07-03 04:27 UTCEG score recompute
  24. 2026-07-03 04:27 UTCGHSA enrichment
  25. 2026-07-02 16:36 UTCEG score recompute
Show 23 more
  1. 2026-07-02 16:36 UTCGHSA enrichment
  2. 2026-07-02 04:46 UTCEG score recompute
  3. 2026-07-02 04:46 UTCGHSA enrichment
  4. 2026-07-01 16:57 UTCEG score recompute
  5. 2026-07-01 16:57 UTCGHSA enrichment
  6. 2026-07-01 15:07 UTCEPSS rescore
  7. 2026-07-01 05:08 UTCEG score recompute
  8. 2026-07-01 05:07 UTCGHSA enrichment
  9. 2026-06-30 23:22 UTCEPSS rescore
  10. 2026-06-30 17:16 UTCEG score recompute 7.50
  11. 2026-06-30 17:16 UTCGHSA enrichment
  12. 2026-06-29 14:06 UTCEPSS rescore
  13. 2026-06-29 14:06 UTCEPSS rescore
  14. 2026-06-28 14:07 UTCEPSS rescore
  15. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.5 · severity → HIGH
  16. 2026-06-28 04:56 UTCEPSS rescore
  17. 2026-06-28 04:56 UTCEPSS rescore
  18. 2026-06-27 17:50 UTCEG score recompute
  19. 2026-06-27 17:50 UTCGHSA enrichment
  20. 2026-06-27 03:08 UTCEPSS rescore
  21. 2026-06-25 13:49 UTCEPSS rescore
  22. 2026-06-24 18:31 UTCEG score recompute
  23. 2026-06-24 18:02 UTCNVD updatefirst tracked

Frequently asked(5)

What is CVE-2026-52945?
CVE-2026-52945 is a high vulnerability published on June 24, 2026. In the Linux kernel, the following vulnerability has been resolved: Revert "wireguard: device: enable threaded NAPI" This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream. We have had three independent production user reports…
When was CVE-2026-52945 disclosed?
CVE-2026-52945 was first published in the National Vulnerability Database on June 24, 2026, with the most recent update on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-52945 actively exploited?
CVE-2026-52945 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 22.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-52945?
CVE-2026-52945 has a CVSS v3 base score of 7.5 (NVD).
How do I remediate CVE-2026-52945?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52945, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52945

Explore →

Is Your Infrastructure Affected by CVE-2026-52945?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.