MEDIUM 5.5

CVE-2026-46297: Linux Kernel libwx VF Interrupt Handling Vulnerability

A vulnerability in the Linux kernel's libwx networking driver incorrectly uses a threaded interrupt handler setup with missing threaded handler logic, triggering kernel warnings and potential system instability. The issue affects virtual function (VF) miscellaneous interrupt handling. The fix involves switching to the standard non-threaded interrupt request function and removing an unnecessary flag that doesn't apply to non-threaded handlers.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: net: libwx: use request_irq for VF misc interrupt Currently, request_threaded_irq() is used with a primary handler but a NULL threaded handler, while also setting the IRQF_ONESHOT flag. This specific combination triggers a WARNING since the commit aef30c8d569c ("genirq: Warn about using IRQF_ONESHOT without a threaded handler"). WARNING: kernel/irq/manage.c:1502 at __setup_irq+0x4fa/0x760 Fix the issue by switching to request_irq(), which is the appropriate interface or a non-threaded interrupt handler, and removing the unnecessary IRQF_ONESHOT flag.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46297 occurs in the libwx driver's interrupt setup for virtual functions. The driver calls request_threaded_irq() with a valid primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag set. This combination is invalid because IRQF_ONESHOT is designed to hold the interrupt disabled until a threaded handler completes—but there is no threaded handler. The kernel commit aef30c8d569c introduced a warning to catch this misconfiguration. The proper fix uses request_irq() instead, which is designed for non-threaded interrupt handlers and does not require or accept the IRQF_ONESHOT flag.

Business impact

This vulnerability causes kernel warnings and can lead to unpredictable interrupt handling behavior in systems using virtual function drivers based on libwx (such as certain Intel or Wangxun network adapters in virtualized environments). In production environments, improper interrupt handling can cause system hangs, performance degradation, or unexpected crashes, particularly under high network load or during VM migration scenarios. Organizations running virtualized infrastructure with affected adapters face potential service interruptions.

Affected systems

The Linux kernel in any version that includes the libwx driver with the vulnerable interrupt setup pattern. This primarily affects systems using Wangxun or compatible network adapters in virtual machine hosts or cloud environments where virtual function passthrough or SR-IOV is enabled. The vulnerability is present in mainline kernel versions before the fix is applied; specific affected version ranges should be verified against the applicable Linux distribution's advisory.

Exploitability

This is not a remotely exploitable vulnerability. Exploitation requires local access and the ability to trigger interrupt processing on the affected network device—typically through sustained network traffic or explicit driver operations. The vulnerability manifests as a kernel warning and degraded interrupt handling rather than arbitrary code execution. An unprivileged local user with network access to a virtual function could potentially trigger the warning condition repeatedly, leading to denial of service through interrupt mishandling.

Remediation

Apply a kernel update that includes the fix for CVE-2026-46297. The fix modifies the libwx driver to use request_irq() in place of request_threaded_irq() for the VF miscellaneous interrupt handler, and removes the IRQF_ONESHOT flag. Verify that the kernel version or distribution patch level matches or exceeds the version containing this fix before deployment.

Patch guidance

Monitor your Linux distribution's security advisories and kernel update channels for patches addressing CVE-2026-46297. If you are running a custom or mainline kernel, apply the patch that changes the VF interrupt setup in the libwx driver from request_threaded_irq() to request_irq(). Test the patched kernel in a non-production environment first, particularly if your workload involves high-volume network traffic or virtual function operations. Kernel updates typically require a system reboot; plan maintenance windows accordingly.

Detection guidance

Review kernel logs (dmesg, /var/log/kern.log) for warnings originating from kernel/irq/manage.c line 1502 with the message about IRQF_ONESHOT. Affected systems will show warnings when the libwx driver loads or when virtual functions are initialized. Monitor interrupt statistics using /proc/interrupts or tools like 'watch' to identify anomalous interrupt counts on affected adapters. In virtualized environments, correlate VF initialization with warnings in the host kernel log.

Why prioritize this

This vulnerability rates as medium severity (CVSS 5.5) due to its local attack vector, requirement for system access, and impact limited to denial of service through interrupt mishandling rather than data breach or code execution. However, it should be prioritized for systems running high-availability workloads or cloud infrastructure where virtual function drivers are active, because even occasional interrupt mishandling can cascade into service disruptions. Organizations with Wangxun adapters or compatible SR-IOV configurations should treat this as a standard maintenance priority rather than an emergency.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: attack vector LOCAL (system access required), attack complexity LOW (no special conditions), privilege level LOW (unprivileged user can trigger), user interaction NOT required, scope UNCHANGED (impact confined to the affected device), confidentiality NONE (no data disclosure), integrity NONE (no data modification), and availability HIGH (interrupt mishandling causes DoS). The score does not escalate to high because exploitation is local-only and requires presence of the specific hardware driver, but the high availability impact reflects real risk to system stability.

Frequently asked questions

Does this vulnerability allow remote code execution or privilege escalation?

No. CVE-2026-46297 is limited to denial of service through improper interrupt handling. It does not enable code execution, privilege escalation, or information disclosure. An attacker would need local system access and the ability to trigger network traffic on a virtual function device.

Which network adapters or drivers are affected?

The vulnerability exists in the Linux kernel's libwx driver, which is used by Wangxun and compatible network adapters, particularly in virtual function (SR-IOV) configurations. Verify your adapter's driver and kernel version against your Linux distribution's security advisory to confirm if you are affected.

Do I need to reboot to apply the patch?

Yes, kernel patches require a system reboot to take effect. Plan your patch deployment during a scheduled maintenance window. Virtual machine hosts should be patched and rebooted before or after guest VM migrations to minimize disruption.

What happens if I don't patch this vulnerability?

Unpatched systems will continue to experience kernel warnings and potentially degraded or unreliable interrupt handling on affected network adapters, leading to packet loss, connection drops, or system hangs under sustained network load. The risk increases in production environments with high traffic or virtualized infrastructure.

This analysis is provided for informational purposes and is based on the vulnerability description and CVSS vector published for CVE-2026-46297. Security leaders should verify all patch versions, affected product lists, and remediation steps against official Linux distribution advisories and vendor security bulletins before implementing changes in production environments. This vulnerability does not appear on the CISA KEV catalog as of the publication date; however, organizations should monitor for updates. No exploit code or weaponized proof-of-concept is provided or endorsed. Always test patches in a non-production environment before wide deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).