Only the latest release on the main branch receives security fixes.

Do not open a public GitHub issue for security vulnerabilities.

Report security issues privately via GitHub's Security Advisories or by emailing the maintainer directly (see the commit history for contact).

Please include:

• A clear description of the vulnerability
• Steps to reproduce or a proof-of-concept
• Affected versions
• Potential impact

You will receive an acknowledgement within 72 hours. A fix will be prepared privately and released with a coordinated disclosure.

Areas of particular concern:

• BPF program safety (verifier bypass, out-of-bounds access)
• Key handling or key material leakage
• Packet injection or decryption without a valid shared key
• Privilege escalation via the gutd daemon

• Attacks that require physical access to the host
• Denial of service via resource exhaustion on the host OS
• Vulnerabilities in upstream Linux kernel or WireGuard itself