CVE-2026-31691
Description
In the Linux kernel, the following vulnerability has been resolved:
igb: remove napi_synchronize() in igb_down()
When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED.
igb_down() calls napi_synchronize() before napi_disable() for each queue vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear, which never happens. igb_down() blocks indefinitely, the TX watchdog fires, and the TX queue remains permanently stalled.
napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE. After a full-budget poll, __napi_poll() checks napi_disable_pending(). If set, it forces completion and clears NAPI_STATE_SCHED, breaking the loop that napi_synchronize() cannot.
napi_synchronize() was added in commit 41f149a285da ("igb: Fix possible panic caused by Rx traffic arrival while interface is down"). napi_disable() provides stronger guarantees: it prevents further scheduling and waits for any active poll to exit. Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without a preceding napi_synchronize() in their down paths.
Remove redundant napi_synchronize() call and reorder napi_disable() before igb_set_queue_napi() so the queue-to-NAPI mapping is only cleared after polling has fully stopped.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Removing redundant napi_synchronize() in igb_down() prevents a deadlock when AF_XDP zero-copy applications abort.
Vulnerability
In the Linux kernel's igb driver, a deadlock occurs in igb_down() when an AF_XDP zero-copy application is abruptly terminated (e.g., via kill -9). The XSK buffer pool is destroyed, but NAPI polling continues; igb_clean_rx_irq_zc() returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED. The call to napi_synchronize() in igb_down() then spins indefinitely waiting for that flag to clear, causing a permanent hang.
Exploitation
An attacker with local access who can trigger the abrupt termination of an AF_XDP zero-copy application on an Intel Gigabit Ethernet interface can cause the driver's igb_down() path to block forever. No special network access or authentication beyond the ability to run and kill AF_XDP applications is required.
Impact
The TX watchdog subsequently fires, and the TX queue remains permanently stalled, resulting in a denial of service (DoS) on the affected network interface. This can disrupt networking for other processes relying on that interface.
Mitigation
The fix removes the redundant napi_synchronize() call and reorders napi_disable() to occur before clearing the queue-to-NAPI mapping, aligning the igb driver with other Intel drivers like ixgbe, ice, and i40e [1]. The patch has been accepted into the Linux kernel stable branches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.14,<6.18.23
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.