WSL2 Mirrored Mode silently locks massive continuous ranges of localhost ports (WinError 10013)

[Horjer]

Windows Version

Microsoft Windows [Version 10.0.26200.8117]

WSL Version

2.6.3.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

6.6.87.2-1

Distro Version

Ubuntu 24.04.4 LTS

Other Software

Python 3.11.4 (Running on Windows Host)
(This issue affects any host-side application trying to bind to these ports, e.g., Node.js, Java, etc.)

Repro Steps

1. Open %USERPROFILE%\.wslconfig on the Windows host.
2. Add networkingMode=mirrored under the [wsl2] section.
3. Ensure no local services are currently running on the high ports (e.g., 48080).
4. Start the WSL instance (e.g., open Ubuntu terminal).
5. Open Windows PowerShell on the host and run: python -m http.server 44620 --bind 127.0.0.1 or python -m http.server 48080 --bind 127.0.0.1

Expected Behavior

When networkingMode=mirrored is enabled, host applications should still be able to bind to unused localhost ports. If I configure ignoredPorts=48080, that specific port should be completely ignored by WSL and remain fully available to the Windows host.

Actual Behavior

When mirrored mode is enabled, the underlying network engine (likely HNS/WFP) silently and aggressively locks a massive, continuous range of high ports (as well as specific ignoredPorts).

When a host application attempts to bind to these ports on 127.0.0.1, it crashes with PermissionError: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions.

Critical Note: These locked ports DO NOT show up in netstat -ano and are NOT listed in netsh interface ipv4 show excludedportrange. They are reserved at the driver/kernel level.

Control Variable Tests Performed:

• Test A: Verified no background services in Ubuntu (sudo ss -tulnp).
• Test B: Disabled autoProxy=true. The massive port lock persisted.
• Test C: Removed ignoredPorts. The massive port lock persisted.
• Test D (The only workaround): Commented out networkingMode=mirrored (reverting to NAT mode) and restarted WSL. All ports immediately became available, and the 10013 error disappeared.

Evidence of massive port locking (Scanned via Python socket script from port 40000 to 50000):
Total silently locked ports found: 4103

• Ports 44620 through 48715 are continuously locked
• Ports 49664 through 49668 are continuously locked
• Ports 49672 through 49673 are continuously locked

Diagnostic Logs

No specific Feedback Hub logs collected yet, but the issue is 100% reproducible by simply scanning localhost port availability (catching WinError 10013) immediately after a WSL instance starts in mirrored mode.

[github-actions]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'.
Otherwise, please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The script will output the path of the log file once done.

If this is a networking issue, please use .\collect-wsl-logs.ps1 -LogProfile networking instead, following the instructions in Collect WSL logs for networking issues

Once completed please upload the output files to this GitHub issue.

See Collect WSL logs (recommended method).

If you choose to email these logs instead of attaching them to the bug, please send them to wsl-gh-logs@microsoft.com with the GitHub issue number in the subject, and include a link to your GitHub issue comment in the message body, and reply with '/emailed-logs'.

[Horjer]

Here are the networking diagnostic logs as requested. The logs captured the moment WSL started in mirrored mode and the subsequent WinError 10013 when trying to bind to port 48080 on the host.

WslLogs-2026-04-13_17-20-10.zip

[github-actions]

The log file doesn't contain any WSL traces. Please make sure that you reproduced the issue while the log collection was running.

Diagnostic information

.wslconfig found
Detected appx version: 2.6.3.0
Found no WSL traces in the logs