CVE-2026-52945 Linux CVE debrief

Who should care

Linux kernel users, particularly those utilizing WireGuard as encryption underneath k8s Pod E/W traffic, should be aware of this vulnerability. The issue may cause decryption failures for specific WireGuard peers under heavy networking load. Users of stable kernels v5.15 and v6.1 are advised to take precautions.

Technical summary

The vulnerability was caused by a commit (db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e) that enabled threaded NAPI by default in the WireGuard device. This change led to a rare but critical issue where the decryption side stops working for a specific WireGuard peer under heavy networking load. The problem arises when the MAX_QUEUED_PACKETS limit (1024 skbs) is reached, causing the wg_packet_rx_poll function to fail. The issue has been observed in stable kernels v5.15 and v6.1 but not in v5.10 stable. The commit was reverted (933466fc50a8e4eb167acbd0d8ec96a078462e9c) to mitigate the issue.

Defensive priority

High priority should be given to patching or reverting the affected Linux kernel versions. Linux kernel users, especially those using WireGuard, should monitor their systems for potential decryption failures and apply mitigations as necessary.

Recommended defensive actions

• Apply the revert commit (933466fc50a8e4eb167acbd0d8ec96a078462e9c) to disable threaded NAPI by default.
• Monitor WireGuard peers for decryption failures under heavy networking load.
• Consider upgrading to a patched Linux kernel version.
• Review system configurations and adjust MAX_QUEUED_PACKETS limits if necessary.
• Implement compensating controls to detect and respond to potential decryption failures.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. The source item URL provides additional context from the NVD database. The reference URL points to the Linux kernel commit that introduced the vulnerability.

Official resources