RSS

Host Shield for Linux Release Notes

Welcome to the release notes for Sysdig Host Shield for Linux.
Deprecation Notice

Support Ending

  • Starting with version 14.3.0, Legacy eBPF is deprecated.
  • Future releases will no longer introduce new features for Legacy eBPF.
  • To ensure continued feature support and compatibility, we strongly recommend migrating to:
  • For more information, see the full Drivers documentation.
  • Secure Mode is now deprecated and will be permanently retired on December 4, 2026. To ensure continued support and benefit from improved performance, migrate to Secure_Light mode. This mode offers enhanced efficiency and is the long-term supported option moving forward.
  • See the deprecation policy for more details.

14.4.0 February 17, 2026

  • Supported sysdig-deploy version: 1.103.0
  • Supported Falco Engine version: 1000.52
  • Supported shield chart version: 1.28.0

Enhancements

Sysdig Host Shield Key Stored in Memory

  • Host Shield can now load the access key from the SYSDIG_HOST_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY operating system environment variable. The access key will be stored in memory only and will not be written to disk.

Reduced Collector Connection Log Verbosity

  • Reduced error log verbosity when retrying connections to the Sysdig collector.

Improved Docker Audits with Mirantis Container Runtime (MCR)

  • Enhanced Docker audits to skip evaluation when Mirantis Container Runtime (MCR) is detected.

Amazon Kinesis in Agent Local Forwarding

Starting from this release, Amazon Kinesis is available as target integration in Agent Local Forwarding, supporting both Amazon Kinesis Firehose and Amazon Kinesis Data Streams as configurable targets. For more information, see:

Defect Fixes

  • Fixed an issue where a malformed message shared may lead to backend disconnections.
  • Fixed metadata retrieval for IBM standalone virtual server instances.
  • Fixed an issue affecting the detection of incorrect container memory limits.
  • Fixed a minor memory usage issue in StatsD connection handling.
  • Fixed exceptions that occurred when the set of block devices present during aggregation changed.
  • Added support for Kubernetes version 1.29 to 1.32, including updated compliance audit coverage.
  • Fixed an issue that could cause Host Shield to run unnecessary Vulnerability Management scans after restarts.
  • Fixed a pipe descriptor leak on Shield restart when Host Scanner or Rapid Response is enabled.
  • Fixed the skip_events_by_process configuration to skip child processes spawned both before and after the Shield starts. This affects Host Shield version 14.3.x.
  • Improved Shield support bundle generation.
    • Support bundles are now created in the /tmp/ directory.
    • Added a compression fallback chain (bzip2 → gzip → uncompressed tar) to ensure bundle collection succeeds when preferred compression tools are unavailable.

Vulnerability Fixes

Addressed the following vulnerabilities:

Known Issues

  • FIM detection relies on BPF_LINK_CREATE, which is not available on kernel versions earlier than 5.7 or libbpf versions earlier than 0.0.8. When this capability is unavailable, FIM detection will fail to initialize.

Sysdig plans to fix this in an upcoming release.

Workaround

Upgrade the host kernel to version 5.7 or later, upgrade libbpf to version 0.0.8 or later, or temporarily disable the FIM feature before upgrading Shield.

14.3.2 January 15, 2026

  • Supported sysdig-deploy version: 1.99.7
  • Supported Falco Engine version: 1000.51
  • Supported shield chart version: 1.25.4

Defect Fixes

  • Fixed metadata retrieval in IBM standalone virtual server instances.
  • Fixed a bug that could cause the Shield to enter an infinite loop when handling the recvmsg and recvmmsg syscalls.

Vulnerability Fixes

Addressed the following vulnerabilities: