CVE-2026-22979
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking environment:
unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 2eeab8c47c3c0276e0746bc382f405c9a236a5ad < 0b27828ebd1ed3107d7929c3737adbe862e99e74 | affected |
| Linux | Linux | fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 < 88bea149db2057112af3aaf63534b24fab5858ab | affected |
| Linux | Linux | ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 < 3264881431e308b9c72cb8a0159d57a56d67dd79 | affected |
| Linux | Linux | ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 < c114a32a2e70b82d447f409f7ffcfa3058f9d5bd | affected |
| Linux | Linux | ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 < 238e03d0466239410b72294b79494e43d4fabe77 | affected |
| Linux | Linux | d225b0ac96dc40d7e8ae2bc227eb2c56e130975f | affected |
| Linux | Linux | 5b3b67f731296027cceb3efad881ae281213f86f | affected |
| Linux | Linux | 6.1.85 < 6.1.161 | affected |
| Linux | Linux | 6.6.26 < 6.6.121 | affected |
| Linux | Linux | 5.15.154 < 5.16 | affected |
| Linux | Linux | 6.8.5 < 6.9 | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.1.161 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.121 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.66 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.6 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74
- https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab
- https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79
- https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
- https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.