5.5
CVE-2026-22979
- EPSS 0.12%
- Veröffentlicht 23.01.2026 15:24:01
- Zuletzt bearbeitet 26.02.2026 23:37:06
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net: fix memory leak in skb_segment_list for GRO packets
In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.15.154 < 5.16
Linux ≫ Linux Kernel Version >= 6.1.85 < 6.1.161
Linux ≫ Linux Kernel Version >= 6.6.26 < 6.6.121
Linux ≫ Linux Kernel Version >= 6.8.5 < 6.9
Linux ≫ Linux Kernel Version >= 6.9.1 < 6.12.66
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.6
Linux ≫ Linux Kernel Version6.9 Update-
Linux ≫ Linux Kernel Version6.9 Updaterc3
Linux ≫ Linux Kernel Version6.9 Updaterc4
Linux ≫ Linux Kernel Version6.9 Updaterc5
Linux ≫ Linux Kernel Version6.9 Updaterc6
Linux ≫ Linux Kernel Version6.9 Updaterc7
Linux ≫ Linux Kernel Version6.19 Updaterc1
Linux ≫ Linux Kernel Version6.19 Updaterc2
Linux ≫ Linux Kernel Version6.19 Updaterc3
Linux ≫ Linux Kernel Version6.19 Updaterc4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.022 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74
https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab
https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79
https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77