Linux Kernel BPF Request Socket Leak Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation has been identified, specifically related to a request socket leak. This issue arises when a BPF program performs a socket lookup that inadvertently increases the reference count of a request socket. The program then returns the associated listening socket without properly decrementing the reference count of the request socket, leading to a memory leak. This vulnerability was reported by a customer in a Calico cloud environment.

Impact

Exploitation of this vulnerability causes a memory leak by improperly managing the reference counts of request sockets, which can lead to increased memory usage and potential exhaustion of available memory resources.

Remediation

The vulnerability has been addressed in the official Linux kernel repository. Users should upgrade to the latest version of the Linux kernel where this patch is included.