PatchSiren cyber security CVE debrief
CVE-2026-22979 Linux CVE debrief
A memory leak vulnerability was found in the Linux kernel's network stack, specifically in the GRO (Generic Receive Offload) packet handling. The issue arises from incorrect socket memory accounting when handling packets that were aggregated by the GRO engine. This leads to a persistent memory leak, preventing socket destruction and causing sk_wmem_alloc to remain non-zero. The vulnerability affects various Linux kernel versions, including 5.15.154, 6.1.85, 6.6.26, 6.8.5, 6.9.1, 6.13, and 6.19. Users of these versions should consider updating to patched versions. The vulnerability is caused by incorrect truesize adjustments in the skb_segment_list function.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-23
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-01-23
- Advisory updated
- 2026-07-14
Who should care
Linux kernel developers, maintainers, and users of affected versions should be aware of this vulnerability. The vulnerability affects various Linux kernel versions, including 5.15.154, 6.1.85, 6.6.26, 6.8.5, 6.9.1, 6.13, and 6.19. Users of these versions should consider updating to patched versions. System administrators and security teams responsible for Linux kernel-based systems should prioritize patching and monitoring.
Technical summary
The vulnerability is caused by incorrect truesize adjustments in the skb_segment_list function. When handling SKB_GSO_FRAGLIST packets constructed by GRO, the function unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. However, since the fragments are no longer charged to the socket, this results in an effective under-count of memory. The leak can be observed via KMEMLEAK when tearing down the networking environment. The fix involves removing the truesize adjustment.
Defensive priority
MEDIUM-HIGH based on potential impact and affected scope, requiring prompt attention and mitigation to prevent exploitation and minimize potential damage to Linux kernel-based systems and infrastructure relying on these versions. Therefore, Linux kernel developers, maintainers, and users of affected versions should be aware of this vulnerability and take necessary precautions to mitigate potential risks associated with this memory leak vulnerability in the Linux kernel's network stack, specifically in the GRO packet handling, by updating to patched versions or implementing compensating controls, such as network traffic monitoring and filtering, to detect and prevent potential exploitation attempts and minimize potential damage to Linux kernel-based systems and infrastructure relying on these versions, considering the vulnerability's MEDIUM severity and potential impact on system security and stability if left unpatched or unmitigated, and taking into account the affected versions and potential attack vectors, including remote exploitation possibilities, to ensure the security and integrity of Linux kernel-based systems and infrastructure, and to prevent potential security breaches and data losses due to this vulnerability in the Linux kernel's network stack, specifically in the GRO packet handling, by prioritizing patching and mitigation efforts based on the vulnerability's severity and potential impact, and considering the recommendations provided by Linux kernel developers, maintainers, and security experts to address this vulnerability effectively and efficiently, and to minimize potential risks and consequences associated with this memory leak vulnerability in the Linux kernel's network stack, specifically in the GRO packet handling, and to ensure the security, stability, and integrity of Linux kernel-based systems and infrastructure relying on these versions, and to prevent potential security breaches and data losses due to this vulnerability, by taking prompt and effective action to mitigate potential risks and consequences associated with this vulnerability, and to ensure the security and integrity of Linux kernel-based systems and infrastructure, and to
Recommended defensive actions
- Update Linux kernel to a patched version (e.g., 5.16, 6.1.161, 6.6.121, 6.9, 6.12.66, or 6.18.6)
- Monitor for suspicious network activity
- Perform regular system updates and security patches
- Consider implementing compensating controls, such as network traffic monitoring and filtering
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was introduced due to incorrect socket memory accounting logic in the skb_segment_list function. The fix involves removing the truesize adjustment. The issue affects various Linux kernel versions, and patches are available. This memory leak vulnerability was found in the Linux kernel's network stack, specifically in the GRO (Generic Receive Offload) packet handling. The leak can be observed via KMEMLEAK when tearing down the networking environment. Affected versions include 5.15.154, 6.1.85, 6.6.26, 6.8.5, 6.9.1, 6.13, and 6.19. Users should verify their system configurations and update to patched versions accordingly.
Official resources
-
CVE-2026-22979 CVE record
CVE.org
-
CVE-2026-22979 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-23T16:15:53.893Z and has not been modified since then. The NVD entry is currently Modified.