Description
In the Linux kernel, the following vulnerability has been resolved:

net: fix memory leak in skb_segment_list for GRO packets

When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.

Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.

Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.

However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.

As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.

The leak can be observed via KMEMLEAK when tearing down the networking
environment:

unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0

Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.

The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().
Published: 2026-01-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Patch
AI Analysis

Impact

The Linux kernel networking module includes a memory leak (CWE‑401) in the skb_segment_list() function when handling packets aggregated by the Generic Receive Offload (GRO) engine. The function incorrectly subtracts the truesize of each fragment packet from the parent socket’s memory counter even though the fragments are no longer charged to the socket. This miscount causes sk_wmem_alloc to remain non‑zero after the socket is freed, preventing socket destruction and resulting in a persistent leak of kernel memory.

Affected Systems

This flaw affects the Linux kernel, vendor Linux, specifically kernel versions 6.9 (including release candidates rc1 through rc7) and 6.19 (rc1 through rc4). Users should verify that their installed kernel contains the relevant code paths and has applied the fix that restores correct truesize handling in skb_segment_list() .

Risk and Exploitability

The likely attack vector is network traffic that causes the kernel's GRO engine to process packets, potentially triggered by an attacker sending specially crafted packets. The CVSS score is 5.5, indicating moderate severity, and the EPSS score is less than 1%, which suggests a very low probability of exploitation at any given time. The vulnerability is not listed in the CISA KEV catalog. The flaw does not provide direct code execution or immediate denial of service, but it may result in gradual kernel memory exhaustion if left unpatched.

Generated by OpenCVE AI on April 18, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a recent Linux kernel update that includes the commit restoring correct truesize handling in skb_segment_list() (which implements the revert of the ownership transfer logic).
  • Verify that the updated kernel also incorporates the reference‑count fix for fragment segmentation (cf673ed0e057) to ensure proper cleanup of SKB extensions.
  • After applying the patch, reboot the system or restart network services to clear the leak counter and confirm that the memory leak is resolved.

Generated by OpenCVE AI on April 18, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
History

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header().
Title net: fix memory leak in skb_segment_list for GRO packets
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:29.263Z

Reserved: 2026-01-13T15:37:45.936Z

Link: CVE-2026-22979

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:53.893

Modified: 2026-02-26T23:37:06.353

Link: CVE-2026-22979

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22979 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses