Host Shield for Linux Release Notes
Deprecation Notice
Support Ending
- Starting with version 14.3.0, Legacy eBPF is deprecated.
- Future releases will no longer introduce new features for Legacy eBPF.
- To ensure continued feature support and compatibility, we strongly recommend migrating to:
- Universal eBPF, or
- Kernel Module on environments running kernels older than version 5.8, the
- For more information, see the full Drivers documentation.
- Secure Mode is now deprecated and will be permanently retired on December 4, 2027. To ensure continued support and benefit from improved performance, migrate to Secure_Light mode. This mode offers enhanced efficiency and is the long-term supported option moving forward.
- See the deprecation policy for more details.
14.3.0 December 04, 2025
- Supported
sysdig-deployversion:1.99.0 - Supported Falco Engine version:
1000.51 - Supported
shieldchart version:1.25.0
Enhancements
Improved Container Metadata Retrieval
Container metadata retrieval is redesigned to use container-runtime listen APIs.
Previously, Host Shield retrieved container information asynchronously on the first process event (clone, execve, fork) inside the container, which could result in missing container metadata for the earliest syscall events.
With the new design, Host Shield now receives container metadata at container creation time, before the container is scheduled for execution, typically thousands of events or up to 100 ms earlier. This ensures container details are available from the very first event.
Supported Container Engines:
- Docker
- Podman v4.0.0 onwards
- containerd
- CRI (containerd, CRI-O, k3s)
- LXC
- BPM
Multiple CRI Sockets Support
Host Shield can now connect to multiple CRI endpoints simultaneously. This is useful in environments where multiple container runtimes are available, such as clusters running both containerd and CRI-O.
New Container Runtime Configuration
Container engine settings have moved to a new container_runtime configuration section. This updated structure provides clearer organization and allows you to define custom socket paths for each engine:
container_runtime:
docker:
enabled: true
sockets: ["/var/run/docker.sock"]
podman:
enabled: true
sockets: ["/run/podman/podman.sock"]
cri:
enabled: true
sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock"]
The previous container_engines configuration keys will continue to be supported for 12 months, until November 2026, to ensure backward compatibility.
FIM Detections
A new Sysdig Secure Runtime detection type, File Integrity Monitoring (FIM) is now available. Refer to the FIM configuration page to learn how to enable and configure it.
Malware Detections: Extended YARA Support
This Host Shield version introduces expanded support for the YARA language, including rules that use wildcards. This enhancement enables the Threat Research Team to deliver additional YARA rules that are fully compatible with this and future Shield versions. See malware policy for more details.
Improved Host Scanner Container Runtime Socket Path Handling
The container runtime socket path configuration is now simplified to remove ambiguity. The previously supported configuration options:
host_scanner.docker_socket_pathshost_scanner.podman_socket_paths
have been deprecated in favor of the new fields:
host_scanner.docker_socket_pathhost_scanner.podman_socket_path
Only one socket path per container runtime is now supported. Deprecated options continue to work for backward compatibility, but only the first value in the socket path list is used.
Tunable Probe Buffer Size and CPU Sharing
New configuration options are now available to finetune in-probe event processing:
sinsp:
buffer_size_mb: 8 # default; allowed values: 1β512 (powers of two)
universal_ebpf_cpu_per_buffer: 2 # default
sinsp.buffer_size_mb: Defines the size (in MB) of the event processing buffer inside the probe. Allowed values are:1,2,4,8,16,32,64,128,256,512. This setting applies to all probe types.sinsp.universal_ebpf_cpu_per_buffer: Controls how internal buffers are shared across CPUs for the Universal eBPF probe. For example, on an 8-core node, setting this value to2creates 4 internal buffers, each shared by two CPUs.
These options provide greater control over probe behavior during syscall event spikes.
Changing these settings without consulting Sysdig Support may cause memory issues. Memory allocated in eBPF probes counts toward process limits, and increasing buffer sizes may trigger Kubernetes memory limits or the Agentβs internal watchdog.
Defect Fixes
- Fixed an issue that prevented certain HTTP network metrics from being emitted.
Known Issues
The File Integrity Monitoring (FIM) feature functions as expected. However, it currently requires an additional configuration flag to be enabled:
security: enabled: trueSysdig is aware of this dependency and will remove the need for this flag in an upcoming release.
Custom Falco rules that use any of the following fields in their condition or output may cause Sysdig Shield to restart:
container.start_tscontainer.durationproc.is_container_healthcheckproc.is_container_liveness_probeproc.is_container_readiness_probeAs a workaround, update the rule condition to exclude container events or restrict it to specific event types, for example:evt.type != containeror
evt.type = <specific type>Sysdig is aware of this and is working on a fix in an upcoming release.
Vulnerability Fixes
14.2.5 November 26, 2025
- Supported
sysdig-deployversion:1.96.5 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.23.4
Defect Fixes
This release is required only for customers who are contacted directly by a Sysdig representative. No upgrade is needed otherwise.
14.2.4 November 19, 2025
- Supported
sysdig-deployversion:1.96.4 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.23.2
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2024-25621
- CVE-2025-47913
- CVE-2025-52881
- CVE-2025-58187
- CVE-2025-6965
- CVE-2025-53905
- CVE-2025-53906
- CVE-2025-64329
- CVE-2024-56433
14.2.3 October 30, 2025
- Supported
sysdig-deployversion:1.96.0 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.22.0
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2025-58183
- CVE-2025-58185
- CVE-2025-58186
- CVE-2025-58188
- CVE-2025-61723
- CVE-2025-61724
- CVE-2025-61725
- CVE-2025-47912
- CVE-2025-50181
- CVE-2025-50182
- CVE-2025-53057
- CVE-2025-53066
- CVE-2025-54388
- CVE-2025-54410
- CVE-2025-58189
14.2.2 October 08, 2025
- Supported
sysdig-deployversion:1.95.3 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.21.1
Updates
Host Posture
Updated KSPM Analyzer component in Host Posture for improved resiliency. See KSPM Analyzer release notes for more details.
Defect Fixes
- Fixed an issue causing app checks to progressively consume more memory unexpectedly.
- Fixed an issue preventing Shield from starting in legacy eBPF mode on most recent kernels (6.16.1, 6.15.10, 6.12.42, 6.6.102, 6.1.148 and later).
Vulnerability Fixes
This release addresses the following security vulnerabilities:
14.2.1 September 9, 2025
- Supported
sysdig-deployversion:1.93.2 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.19.1
Enhancements
Pre-filled DNS Cache for IBM Cloud Metadata Service
The DNS cache is now automatically pre-filled to avoid resolving the IBM Cloud metadata service HTTPS endpoint, improving reliability.
Defect Fixes
- Fixed the legacy AppChecks for MongoDB. For X.509 authentication,
ssl_keyfileis no longer supported. Instead, provide both the certificate and key in a single file specified withssl_certfile.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
14.2.0 August 28, 2025
- Supported
sysdig-deployversion:1.93.0 - Supported Falco Engine version:
1000.49.0 - Supported
shieldchart version:1.18.0
Enhancements
IPv4 and IPv6 Enrichment for Secure Threat Events
Host Shield can now enrich Sysdig Secure threat events with the IPv4 and IPv6 addresses of related instances. See configuration for more details.
New Metric for Container Filesystem
Added a metric sysdig_container_fs_rw_used_bytes to monitor read/write usage on container filesystems.
Added Oracle Cloud (OCI) and IBM Cloud Metadata in Events
Events now include metadata from Oracle Cloud (OCI) and IBM Cloud for improved visibility and context. To disable OCI and IBM metadata, add the following settings to your Shield chart configuration.
host:
additional_settings:
collect_ibm_metadata: false # To disable IBM metadata collection
collect_oci_metadata: false # To disable OCI metadata collection
Selective enablement of Response Actions
Response actions can be now enabled/disabled individually, to manage the permissions granularly, based on the actions that you want to employ in your environment. For more details, see Response Actions.
Defect Fixes
- Resolved AppChecks compatibility issues with specific Python versions.
- Resolved a bug that prevented Host Shield from correctly detecting Windows vulnerabilities.
skip_events_by_processnow skips child processes spawned both before and after the Agent starts.
Known Issues
- AppChecks for MongoDB metrics are not functional in this release. A fix will be available in an upcoming release.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
14.1.1 August 5, 2025
- Supported
sysdig-deployversion:1.91.1 - Supported Falco Engine version:
1000.47.0 - Supported
shieldchart version:1.15.2
Defect Fixes
- Fixed an issue that prevented CPU profiles from being generated.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2025-30749
- CVE-2025-50106
- CVE-2025-6965
- CVE-2024-23337
- CVE-2024-52533
- CVE-2025-30754
- CVE-2025-30761
- CVE-2025-4373
- CVE-2025-48060
14.1.0 July 28, 2025
- Supported
sysdig-deployversion:1.90.0 - Supported Falco Engine version:
1000.47.0 - Supported
shieldchart version:1.13.0
Enhancements
Metadata Retrieval Timeout Configuration
- Introduced a new flag
custom_container.metadata_deadline_secsto configure the time window during which metadata can be retrieved.
Timestamped CPU Profile Storage
- The runtime agent now stores CPU profiles with date and time in the file names.
Defect Fixes
- Fixed an issue where the probe download script incorrectly reported the eBPF probe download as successful, even in case of failure.
- Added support for detecting
libpodcontainers running with thecgroupsmode set tosplit.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2024-12718
- CVE-2025-4138
- CVE-2025-4517
- CVE-2025-4673
- CVE-2025-49794
- CVE-2025-49796
- CVE-2025-6020
- CVE-2025-0913
- CVE-2025-22874
- CVE-2025-25724
- CVE-2025-3576
- CVE-2025-4330
- CVE-2025-4435
- CVE-2025-5702
- CVE-2025-6021
14.0.1 June 25, 2025
- Supported
sysdig-deployversion:1.87.1 - Supported Falco Engine version:
1000.45.0 - Supported
shieldchart version:1.11.1
Defect Fixes
- Fixed build failures of the legacy eBPF probe on the most recent 6.15 kernels.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
14.0.0 June 17, 2025
- Supported
sysdig-deployversion:1.86.0 - Supported Falco Engine version:
1000.45.0 - Supported
shieldchart version:1.9.0
This release introduces major changes, including performance improvements, new defaults, and component deprecations. Review carefully, as some updates may require action.
Enhancements
Dynamic Syscall Filtering
Host Shield introduces a new capability, Dynamic Syscall Filtering, to improve performance and resilience while reducing the resource requirements. This feature is enabled by default. It monitors the system calls required for active features, plugins, and policies, significantly reducing system call volume and system overhead. This dynamic filtering improves performance and resilience, especially in lightweight Host Shield modes and high-load environments, by lowering CPU and memory usage. For more details, see Dynamic Syscall Filtering.
Secure Light Default Mode
The shield and sysdig-deploy helm charts now switch to secure_light mode by default when monitor features are not enabled, delivering significantly improved performance and reliability out of the box.
Improved Posture Connectivity Resiliency
Changed the default transport protocol for the Posture feature from nats to https to improve resilience against transient network failures and round-trip communication issues.
New Option to Skip Failed DNS Request
Previously, the dns_detection feature did not raise events for failed DNS requests. Now, dns_detection processes all DNS requests, including failed ones, and consequently applies policies on the raised events. You can enable the new dns_detection.skip_failed_requests option (disabled by default) in the shield chart to restore the previous behavior of skipping failed DNS requests and prevent related events from being raised. This helps reduce noise if these types of errors are not relevant to your environment.
Flatcar OS supported
Flatcar OS is now supported on Sysdig Shield.
Deprecations
Custom App Checks Sunset
Custom App Checks are no longer supported.
AppChecks Python 2.7
App Checks using Python 2.7 is no longer supported.
Minimum Kernel Version Set to 3.10
Linux kernel versions older than 3.10 are no longer supported.
Defect Fixes
Fixed Kernel Header Install on Debian
- Fixed an issue where the install script on Debian-based systems was unexpectedly installing Kernel headers even when universal eBPF was selected.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2025-30698
- CVE-2025-30691
- CVE-2025-24528
- CVE-2025-22872
- CVE-2025-22871
- CVE-2025-21587
- CVE-2025-4802
- CVE-2023-4752
- CVE-2025-0938
- CVE-2025-0395
- CVE-2024-12243
- CVE-2024-12133
- CVE-2024-8176
13.9.2 May 22, 2025
- Supported
sysdig-deployversion:1.84.2 - Supported Falco Engine version:
1000.42.0 - Supported
shieldchart version:1.6.3
Defect Fixes
- The install script now skips unnecessary kernel header installation on Debian systems when universal eBPF is selected, enabling faster, cleaner installs with reduced dependencies.
Vulnerability Fixes
This release addresses the following security vulnerability:
13.9.1 May 09, 2025
- Supported in chart
sysdig-deployversion:1.83.0 - Supported Falco Engine version:
1000.42.0 - Supported in chart
shieldversion:1.6.0
Defect Fixes
Fixed an issue in the Universal eBPF driver that introduced increased latency for the sendmmsg and recvmmsg syscalls.
13.9.0 May 1, 2025
- Supported in chart
sysdig-deployversion:1.81.0 - Supported Falco Engine version:
1000.42.0 - Supported in chart
shieldversion:1.4.0
Known Issue
If you’re using Agent version 13.9.0 with the universal_ebpf probe, you may experience high CPU usage and reduced system performance. This issue is related to how the agent handles the sendmmsg and recvmmsg syscalls.
To reduce the impact, update your agent configuration to skip these events.
skip_events_by_type:
- recvmmsg
- sendmmsg
Enhancements
Network Security on Secure Light mode
Network Security (NetSec) is now supported in Secure Light mode, providing feature parity with Secure mode, significantly reducing resource consumption while preserving key security functionalities.
Activity Audit container interactive processes tracking
Activity Audit now focuses on interactive processes inside containers by default, making collected data more relevant and reducing noise. By default only interactive commands (i.e: Actions with a bound TTY) will generate Activity Audit events.
For example:
kubectl -it exec POD -- COMMAND: Event is reported (interactive).kubectl exec POD -- COMMAND: Event is not reported (non-interactive).
If you prefer to also include non-interactive executions, you can revert to the previous behavior by enabling this option in your dragent.yaml
secure_audit_streams:
container_processes_include_non_interactive_exec: true
Response Actions
The fresh new Response Actions feature has been added, allowing you to execute actions on your workloads from Sysdig, to respond to ongoing threats and incidents. The actions included in this release are:
- Container kill/stop/pause
- Process kill
- File quarantine
- File acquire
They are also complemented with the possibility to be reverted, when applicable.
For additional information, see Response Actions
Enhanced overhead of JMX instrumentation
Java process metrics can be scraped only if a corresponding hsperfdata file exists. Processes without the hsperfdata file will be skipped.
New configuration option allows you to specify a minimum age for hsperfdata files. If an hsperfdata file is younger than this configured threshold, the corresponding Java process will not be scraped.
jmx:
enforce_hsperfdata_exists: true
jmx_scrape_delay_seconds: 120
Defect Fixes
- Ensured adherence to agent HTTP health
status_portconfiguration option. - Optimized performance in processing data received from the
recvmsgsyscall. - Improved PostgreSQL protocol parsing in Monitor mode to correctly handle potentially malformed packets.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
