The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22979

CVE-2026-22979: Linux Kernel Memory Leak Vulnerability

CVE-2026-22979 is a memory leak vulnerability in the Linux kernel's skb_segment_list function affecting GRO packet handling. The flaw prevents socket destruction, causing persistent memory leaks during packet forwarding.

Published: January 30, 2026

CVE-2026-22979 Overview

A memory leak vulnerability has been identified in the Linux kernel's networking subsystem, specifically in the skb_segment_list() function used during packet forwarding. This vulnerability affects the handling of packets aggregated by the Generic Receive Offload (GRO) engine, resulting in incorrect socket memory accounting that prevents proper socket destruction and leads to persistent memory leaks.

The vulnerability stems from a logic inconsistency introduced after commit ed4cccef64c1 ("gro: fix ownership transfer"), which changed how fraglist entries handle socket references. While fragments were updated to be explicitly orphaned (skb->sk = NULL), the corresponding memory accounting logic in skb_segment_list() was never adjusted. This mismatch causes sk_wmem_alloc to remain non-zero when the head SKB is freed, preventing socket destruction.

Critical Impact

Persistent memory leak in Linux kernel networking stack can lead to resource exhaustion and denial of service conditions on affected systems handling GRO packets.

Affected Products

  • Linux Kernel (multiple versions with GRO packet handling)
  • Systems utilizing SKB_GSO_FRAGLIST packets constructed by GRO
  • Network infrastructure running affected kernel versions

Discovery Timeline

  • 2026-01-23 - CVE CVE-2026-22979 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2026-22979

Vulnerability Analysis

The memory leak occurs in the kernel's socket buffer (SKB) segmentation logic. When skb_segment_list() processes packets during forwarding operations, it handles SKBs that were aggregated by the GRO engine. The function is designed to manage memory accounting by transferring truesize from a parent SKB to newly created segments.

Prior to the problematic commit, the truesize subtraction was valid because fragments maintained a reference to the original socket. However, the ownership transfer fix changed this behavior by orphaning fraglist entries (setting skb->sk to NULL) to prevent illegal orphaning later in the networking stack. This meant the entire socket memory charge remained with the head SKB, but the accounting logic continued to subtract truesize for each fragment.

The result is an under-count of memory when the head is freed, which can be observed through KMEMLEAK when tearing down networking environments. The leak manifests as unreferenced objects remaining in memory with backtraces pointing to socket allocation functions like sk_prot_alloc, sk_alloc, and inet6_create.

Root Cause

The root cause is a logic mismatch between socket ownership handling and memory accounting in the GRO packet segmentation path. When commit ed4cccef64c1 changed fraglist entries to be orphaned, it disrupted the assumption that fragments carry socket references. The skb_segment_list() function unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB, but since fragments are no longer charged to the socket, this subtraction creates a persistent accounting error.

Attack Vector

This vulnerability is primarily a denial of service vector through resource exhaustion. While the exact attack vector complexity is unknown, an attacker with the ability to generate or route GRO-aggregated packets through an affected system could potentially trigger the memory leak condition.

The vulnerability affects the skb_segment_list() function which is exclusively used for SKB_GSO_FRAGLIST packets constructed by the GRO engine. The memory accounting error prevents proper cleanup of socket structures, leading to accumulation of unreferenced memory objects over time.

Exploitation would involve sustained network traffic that triggers the GRO aggregation and subsequent segmentation paths, causing gradual memory exhaustion on the target system.

Detection Methods for CVE-2026-22979

Indicators of Compromise

  • KMEMLEAK reports showing unreferenced socket objects with backtraces to sk_prot_alloc, sk_alloc, or inet6_create
  • Gradual increase in kernel memory usage without corresponding process memory growth
  • Socket structures remaining in memory after network connections are terminated
  • Non-zero sk_wmem_alloc values for sockets that should have been destroyed

Detection Strategies

  • Enable KMEMLEAK in kernel debugging configurations to detect unreferenced memory objects
  • Monitor /proc/slabinfo for unusual growth in socket-related slab caches
  • Use ss or netstat to identify socket resource leaks over time
  • Implement kernel memory monitoring tools to track socket allocation patterns

Monitoring Recommendations

  • Set up alerts for sustained memory growth in kernel network subsystems
  • Monitor for KMEMLEAK warnings in kernel logs (dmesg)
  • Track socket creation and destruction rates to identify imbalances
  • Implement automated testing of GRO packet handling in network environments

How to Mitigate CVE-2026-22979

Immediate Actions Required

  • Update to a patched Linux kernel version containing the fix
  • If immediate patching is not possible, consider disabling GRO on affected interfaces as a temporary workaround
  • Monitor system memory usage closely for signs of resource exhaustion
  • Plan maintenance windows for kernel updates on production systems

Patch Information

The fix removes the unnecessary truesize adjustment in skb_segment_list() since this function is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO. The patch preserves the call to skb_release_head_state() as it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header().

Multiple kernel stable branch commits have been published to address this vulnerability:

  • Kernel Git Commit 0b27828e
  • Kernel Git Commit 238e03d0
  • Kernel Git Commit 32648814
  • Kernel Git Commit 88bea149
  • Kernel Git Commit c114a32a

Workarounds

  • Temporarily disable GRO on network interfaces using ethtool -K <interface> gro off
  • Implement memory monitoring to detect and alert on potential leak conditions
  • Schedule regular system reboots for critical systems where immediate patching is not feasible
  • Consider network traffic shaping to reduce GRO packet processing load
bash
# Temporarily disable GRO on affected interface
ethtool -K eth0 gro off

# Verify GRO is disabled
ethtool -k eth0 | grep generic-receive-offload

# Monitor kernel memory for leak detection
cat /proc/meminfo | grep -E "Slab|SReclaimable|SUnreclaim"

# Enable KMEMLEAK for debugging (requires kernel config)
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit 0b27828e
  • Kernel Git Commit 238e03d0
  • Kernel Git Commit 32648814
  • Kernel Git Commit 88bea149
  • Kernel Git Commit c114a32a
  • Related CVEs
  • CVE-2026-23457: Linux Kernel Integer Truncation Vulnerability
  • CVE-2026-23442: Linux Kernel IPv6 SRv6 Null Pointer Flaw
  • CVE-2026-23431: Linux Kernel Memory Leak Vulnerability
  • CVE-2026-31391: Linux Kernel Atmel SHA204A OOM Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English