-
CVE-2026-22979
- EPSS 0.02%
- Veröffentlicht 23.01.2026 15:24:01
- Zuletzt bearbeitet 26.01.2026 15:03:51
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
0b27828ebd1ed3107d7929c3737adbe862e99e74
Version
2eeab8c47c3c0276e0746bc382f405c9a236a5ad
Status
affected
Version <
88bea149db2057112af3aaf63534b24fab5858ab
Version
fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6
Status
affected
Version <
3264881431e308b9c72cb8a0159d57a56d67dd79
Version
ed4cccef64c1d0d5b91e69f7a8a6697c3a865486
Status
affected
Version <
c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
Version
ed4cccef64c1d0d5b91e69f7a8a6697c3a865486
Status
affected
Version <
238e03d0466239410b72294b79494e43d4fabe77
Version
ed4cccef64c1d0d5b91e69f7a8a6697c3a865486
Status
affected
Version
d225b0ac96dc40d7e8ae2bc227eb2c56e130975f
Status
affected
Version
5b3b67f731296027cceb3efad881ae281213f86f
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.9
Status
affected
Version <
6.9
Version
0
Status
unaffected
Version <=
6.1.*
Version
6.1.161
Status
unaffected
Version <=
6.6.*
Version
6.6.121
Status
unaffected
Version <=
6.12.*
Version
6.12.66
Status
unaffected
Version <=
6.18.*
Version
6.18.6
Status
unaffected
Version <=
*
Version
6.19-rc5
Status
unaffected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.056 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|