lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2026012347-CVE-2026-22979-b883@gregkh>
Date: Fri, 23 Jan 2026 16:24:50 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-22979: net: fix memory leak in skb_segment_list for GRO packets

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net: fix memory leak in skb_segment_list for GRO packets

When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.

Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.

Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.

However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.

As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.

The leak can be observed via KMEMLEAK when tearing down the networking
environment:

unreferenced object 0xffff8881e6eb9100 (size 2048):
  comm "ping", pid 6720, jiffies 4295492526
  backtrace:
    kmem_cache_alloc_noprof+0x5c6/0x800
    sk_prot_alloc+0x5b/0x220
    sk_alloc+0x35/0xa00
    inet6_create.part.0+0x303/0x10d0
    __sock_create+0x248/0x640
    __sys_socket+0x11b/0x1d0

Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.

The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().

The Linux kernel CVE team has assigned CVE-2026-22979 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.1.85 with commit 2eeab8c47c3c0276e0746bc382f405c9a236a5ad and fixed in 6.1.161 with commit 0b27828ebd1ed3107d7929c3737adbe862e99e74
	Issue introduced in 6.6.26 with commit fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 and fixed in 6.6.121 with commit 88bea149db2057112af3aaf63534b24fab5858ab
	Issue introduced in 6.9 with commit ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 and fixed in 6.12.66 with commit 3264881431e308b9c72cb8a0159d57a56d67dd79
	Issue introduced in 6.9 with commit ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 and fixed in 6.18.6 with commit c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
	Issue introduced in 6.9 with commit ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 and fixed in 6.19-rc5 with commit 238e03d0466239410b72294b79494e43d4fabe77
	Issue introduced in 5.15.154 with commit d225b0ac96dc40d7e8ae2bc227eb2c56e130975f
	Issue introduced in 6.8.5 with commit 5b3b67f731296027cceb3efad881ae281213f86f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-22979
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/core/skbuff.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74
	https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab
	https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79
	https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
	https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ