CVE-2026-31691 Overview
A denial of service vulnerability exists in the Linux kernel's igb network driver where the napi_synchronize() function in igb_down() can cause an indefinite block when an AF_XDP zero-copy application terminates abruptly. This race condition prevents the network interface from properly shutting down, leading to TX watchdog timeouts and permanently stalled TX queues.
Critical Impact
System network interfaces using the igb driver can become permanently stalled, causing denial of service conditions when AF_XDP zero-copy applications are forcefully terminated.
Affected Products
- Linux Kernel (igb network driver)
- Systems using Intel Gigabit Ethernet adapters with AF_XDP zero-copy functionality
- Linux-based network appliances and servers with igb-based network interfaces
Discovery Timeline
- 2026-04-27 - CVE CVE-2026-31691 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31691
Vulnerability Analysis
The vulnerability resides in the igb_down() function of the Linux kernel's igb network driver. When an AF_XDP zero-copy application terminates abruptly (such as via kill -9), the XSK buffer pool is destroyed while NAPI polling continues. The igb_clean_rx_irq_zc() function repeatedly returns the full budget, which prevents napi_complete_done() from clearing the NAPI_STATE_SCHED flag.
The problematic code path occurs because igb_down() calls napi_synchronize() before napi_disable() for each queue vector. The napi_synchronize() function spins indefinitely waiting for NAPI_STATE_SCHED to clear, but this condition is never satisfied due to the continuous full-budget returns. This creates a deadlock scenario where igb_down() blocks indefinitely, triggering the TX watchdog and leaving the TX queue permanently stalled.
Root Cause
The root cause is the redundant use of napi_synchronize() before napi_disable() in the network interface shutdown path. While napi_synchronize() was originally added to prevent panic conditions caused by Rx traffic arrival during interface shutdown (commit 41f149a285da), the function cannot handle the edge case where NAPI polling continuously returns the full budget.
The napi_disable() function provides stronger guarantees by setting NAPI_STATE_DISABLE, which allows __napi_poll() to check for napi_disable_pending(). When this flag is detected, the kernel forces completion and clears NAPI_STATE_SCHED, breaking the infinite loop that napi_synchronize() cannot escape.
Attack Vector
The vulnerability is triggered locally through the following sequence:
- An AF_XDP zero-copy application establishes connections using the igb network interface
- The application is forcefully terminated (e.g., via SIGKILL)
- The XSK buffer pool is destroyed while NAPI polling remains active
- igb_clean_rx_irq_zc() continuously returns full budget values
- igb_down() calls napi_synchronize() which spins indefinitely
- TX watchdog fires and the network interface becomes permanently stalled
The fix involves removing the redundant napi_synchronize() call and reordering napi_disable() to execute before igb_set_queue_napi(), ensuring the queue-to-NAPI mapping is only cleared after polling has fully stopped.
Detection Methods for CVE-2026-31691
Indicators of Compromise
- TX watchdog timeout messages in kernel logs (e.g., NETDEV WATCHDOG: eth0 (igb): transmit queue X timed out)
- Network interfaces becoming unresponsive after AF_XDP application crashes
- Kernel threads stuck in napi_synchronize() visible in stack traces
- High CPU usage from spinning NAPI polling threads
Detection Strategies
- Monitor kernel logs for igb driver TX watchdog timeout events
- Implement process monitoring for AF_XDP zero-copy applications with automatic cleanup procedures
- Use kernel tracing to detect prolonged napi_synchronize() blocking states
- Deploy network health monitoring to detect interface stall conditions
Monitoring Recommendations
- Configure alerting for TX watchdog timeout events in syslog
- Implement automated network interface health checks at regular intervals
- Monitor for unusual patterns in AF_XDP application termination events
- Track CPU utilization anomalies associated with kernel network threads
How to Mitigate CVE-2026-31691
Immediate Actions Required
- Apply the kernel patches provided in the stable kernel releases
- Consider graceful shutdown procedures for AF_XDP zero-copy applications instead of force termination
- Monitor systems for signs of network interface stalling
- Have interface reset procedures ready as a temporary workaround
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix removes the redundant napi_synchronize() call and reorders napi_disable() to ensure proper cleanup sequencing. Patches are available through the following kernel git commits:
Workarounds
- Avoid using force termination signals (SIGKILL) on AF_XDP zero-copy applications; implement graceful shutdown handlers using SIGTERM instead
- Implement application-level cleanup routines to properly release XSK buffer pools before termination
- If network interface becomes stalled, perform manual interface reset using ip link set <interface> down && ip link set <interface> up
- Consider using alternative Intel network drivers (ixgbe, ice, i40e) that do not exhibit this behavior if hardware compatibility allows
# Manual interface recovery if stalled
ip link set eth0 down
sleep 2
ip link set eth0 up
# Verify interface status
ip link show eth0
ethtool eth0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
