Host Shield for Linux Release Notes

Welcome to the release notes for Sysdig Host Shield for Linux.

Deprecation Notice

Support Ending

Starting with version 14.3.0, Legacy eBPF is deprecated and it will be unsupported after December 4, 2026.
Future releases will no longer introduce new features for Legacy eBPF.
To ensure continued feature support and compatibility, we strongly recommend migrating to:
- Universal eBPF, or
- Kernel Module on environments running kernels older than version 5.8
For more information, see the full Drivers documentation.
Secure Mode is now deprecated and will be permanently retired on December 4, 2026. To ensure continued support and benefit from improved performance, migrate to Secure_Light mode. This mode offers enhanced efficiency and is the long-term supported option moving forward.
See the deprecation policy for more details.

14.6.0 May 19, 2026

Supported shield chart version: 1.38.0
Supported sysdig-deploy version: 1.111.0
Supported Falco Engine version: 1000.55.0

Enhancements

Enhanced Container Support Performance on Hosts with High Process Counts

Improved performance of container support, especially on machines with large numbers of running processes.

Expanded Rootless Podman Container Detection

Extended container detection capabilities to dynamically surface rootless Podman containers.

New Read only Filesystem Metrics

Introduced the sysdig_host_filesystem_readonly metric to indicate whether the host filesystem is mounted as read-only

Improved Agent Performance During Posture Scanning

Reduced agent overhead by filtering syscall events from supervised subprocesses during posture scans and other intensive operations, resulting in lower CPU and memory usage.

Added Kubernetes API request timeout configuration

Introduced k8s_api_request.socket_timeout_sec setting to allow control over socket timeout behavior for Kubernetes API requests.

Least Privileged Mode Support for Host Shield

Added support for running Host Shield in unprivileged mode by setting host.privileged: false in the Helm chart, bringing parity with the Least Privileged Agent. For more information, see Manage Host Shield Privileges.

Defect Fixes

Fixed missing fields and incorrect behavior on DNS events: resolved two bugs in DNS detection that could cause DNS events to be silently dropped or have fields missing, leading to policy rules not firing as expected and incomplete data in DNS-related alerts. Customers relying on DNS-based detection rules should see more consistent and complete DNS event data after this fix.
Fixed a bug which could cause host-scanner to hang indefinitely at startup when attempting to ping the Docker daemon, if Non-Kubernetes Containers scanning is enabled.
Fixed a bug causing containers to report memory usage exceeding their configured limits.
Addressed an issue where erroneous socket events could cause file descriptor tables to grow indefinitely, leading to potential unbounded memory consumption.
Fixed probe build failures on Fedora 42 and 43 distributions.
Resolved an occasional crash occurring when the system was running with observations enabled.

Vulnerability Fixes

Addressed the following vulnerabilities:

CVE-2026-41676
CVE-2026-41677
CVE-2026-41678
CVE-2026-41681
CVE-2026-41898
CVE-2026-22016
CVE-2026-29181
CVE-2026-33811
CVE-2026-33814
CVE-2026-39820
CVE-2026-39836
CVE-2026-39979
CVE-2026-40164
CVE-2026-42151
CVE-2026-42154
CVE-2026-4424
CVE-2026-4878
CVE-2025-14087
CVE-2025-14512
CVE-2026-22013
CVE-2026-22021
CVE-2026-23865
CVE-2026-29111
CVE-2026-39823
CVE-2026-39825
CVE-2026-39826
CVE-2026-39882
CVE-2026-40179
CVE-2026-42499
CVE-2026-5121
CVE-2026-22007
CVE-2026-22018
CVE-2026-34268

14.5.2 April 22, 2026

Supported shield chart version: 1.34.6
Supported sysdig-deploy version: 1.109.7
Supported Falco Engine version: 1000.55.0

Defect Fixes

Fixed a performance issue in container support on machines with large numbers of running processes.
Fixed a bug that caused a container to report more memory than its configured limit.

Vulnerability Fixes

Addressed the following vulnerabilities:

CVE-2026-39892
CVE-2026-27135
CVE-2026-34982
CVE-2026-34986
CVE-2026-39883
CVE-2025-29768
CVE-2025-71176
CVE-2026-28418
CVE-2026-28419
CVE-2026-28420
CVE-2026-35177
CVE-2026-39881
CVE-2021-3927
CVE-2021-3928
CVE-2021-3968
CVE-2021-3973
CVE-2021-3974
CVE-2021-4136
CVE-2021-4166
CVE-2021-4173
CVE-2021-4187
CVE-2022-0213
CVE-2022-0351
CVE-2022-1616
CVE-2022-1619
CVE-2022-1620
CVE-2022-1674
CVE-2022-1720
CVE-2022-1725
CVE-2022-2042
CVE-2022-2124
CVE-2022-2125
CVE-2022-2126
CVE-2022-2129
CVE-2022-2175
CVE-2022-2182
CVE-2022-2183
CVE-2022-2206
CVE-2022-2207
CVE-2022-2208
CVE-2022-2210
CVE-2022-2257
CVE-2022-2284
CVE-2022-2285
CVE-2022-2286
CVE-2022-2287
CVE-2022-2304
CVE-2022-2343
CVE-2022-2344
CVE-2022-2345
CVE-2022-2522
CVE-2022-2817
CVE-2022-2819
CVE-2022-2845
CVE-2022-2849
CVE-2022-2862
CVE-2022-2874
CVE-2022-2889
CVE-2022-2923
CVE-2022-2946
CVE-2022-2980
CVE-2022-2982
CVE-2022-3016
CVE-2022-3037
CVE-2022-3099
CVE-2022-3134
CVE-2022-3153
CVE-2022-3234
CVE-2022-3235
CVE-2022-3256
CVE-2022-3278
CVE-2022-3296
CVE-2022-3297
CVE-2022-3324
CVE-2022-3352
CVE-2022-3705
CVE-2022-4141
CVE-2022-4292
CVE-2022-4293
CVE-2023-0049
CVE-2023-0051
CVE-2023-0054
CVE-2023-0288
CVE-2023-0433
CVE-2023-0512
CVE-2023-1127
CVE-2023-1170
CVE-2023-1175
CVE-2023-1264
CVE-2023-2609
CVE-2023-2610
CVE-2023-46246
CVE-2023-4734
CVE-2023-4735
CVE-2023-4738
CVE-2023-4751
CVE-2023-4781
CVE-2023-48231
CVE-2023-48232
CVE-2023-48233
CVE-2023-48234
CVE-2023-48235
CVE-2023-48236
CVE-2023-48237
CVE-2023-48706
CVE-2023-5344
CVE-2023-5441
CVE-2023-5535
CVE-2024-22667
CVE-2024-41957
CVE-2024-41965
CVE-2024-43374
CVE-2024-43802
CVE-2024-45306
CVE-2024-47814
CVE-2025-1215
CVE-2025-22134
CVE-2025-24014
CVE-2025-26603
CVE-2026-26269
CVE-2026-28422

14.5.1 April 15, 2026

Supported shield chart version: 2.7.2
Supported sysdig-deploy version: 1.109.6
Supported Falco Engine version: 1000.55.0

Enhancements

Reduced File Descriptor Path Logging Verbosity

Reduced log verbosity when resolving file descriptor paths.

Defect Fixes

Erroneous socket events caused file descriptor tables to grow, potentially leading to unbounded memory usage.
Fixed an issue in Host Posture in which Linux host benchmark checks produced duplicate sysctl values, causing incorrect false-positive posture results.
Fixed an issue in which Host Posture sent requests incompatible with on-premises installations earlier than version 7.7.0, preventing scans from being scheduled.
Fixed an issue in which Host Posture sent duplicated results for the same host, preventing host posture evaluation from completing.
Fixed an issue causing the agent to stop unexpectedly when running with observations enabled.
Fixed an issue where the legacy_ebpf driver would not load on Oracle Linux version 8.

Vulnerability Fixes

14.5.0 March 31, 2026

Supported shield chart version: 1.33.0
Supported sysdig-deploy version: 1.108.0
Supported Falco Engine version: 1000.55.0

Enhancements

Local Scanning for Kubernetes Container Workloads

Sysdig now supports local scanning of vulnerabilities for Kubernetes container workloads by using Host Shield image scanning on each node. This improves coverage for more complex environments, without relying solely on registry or agentless scanning paths. For more information, see Local Scanning.

Reduced Agent Log Noise

Downgraded a recurring warning message in agent logs to Debug level. The message had no impact on functionality and required no action.

Reduced Log Noise for Unresolvable Thread Entries

Reduced the severity of a log message that could appear frequently in agent logs and cause unnecessary concern and log rotation. The message, which indicated a thread without a resolvable main process, required no action and has been moved to Debug level to avoid surfacing as a warning during normal operations.

Improved Handling of Delayed Container Events

Improved processing of delayed container events to ensure they are handled correctly when they arrive after their expected time.

Defect Fixes

Fixed Prometheus exporter logging to prevent INFO-level messages from being reported as errors.
Fixed a bug where the baseliner does not respect the pause time after being stopped.
Resolved an issue where the kmod driver could exit unexpectedly under high load on large machines (48+ cores).
Fixed a pipe descriptor leak on shield restart when you enable Host Scanner or Rapid Response.
Fixed a segmentation fault and subsequent agent restart that was triggered when initiating a capture with a filter containing a plugin field.
Updated tests to include an additional subprocess required by the shield.
Fixed a race condition during Secure Policies reload that could cause the Host Shield to stop unexpectedly.
Resolved a bug causing backend exceptions and agent disconnections due to invalid protobuf payloads.
Fixed an issue where the container_image_tag metric label displayed an incorrect value when the container image reference included a registry port.
Fixed an issue where installing Host Shield using system packages failed on SUSE Linux Enterprise Server (SLES) 16 and Red Hat Enterprise Linux (RHEL) 10.

Vulnerability Fixes

Addressed the following vulnerabilities:

14.4.1 March 12, 2026

Supported sysdig-deploy version: 1.106.1
Supported Falco Engine version: 1000.52
Supported shield chart version: 1.30.2

Enhancements

Improved Handling of Delayed Container Events

Improved processing of delayed container events to ensure they are handled correctly when they arrive after their expected time.

Defect Fixes

Fixed an issue in Host Scanner Vulnerability Management where packages could fail to be detected on: Amazon Linux, EulerOS, Talos, and minimal or hardened Alpine variants.

Vulnerability Fixes

Addressed the following vulnerabilities:

14.4.0 February 17, 2026

Supported sysdig-deploy version: 1.103.0
Supported Falco Engine version: 1000.52
Supported shield chart version: 1.28.0

Enhancements

Sysdig Host Shield Key Stored in Memory

Host Shield can now load the access key from the SYSDIG_HOST_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY operating system environment variable. The access key will be stored in memory only and will not be written to disk.

Reduced Collector Connection Log Verbosity

Reduced error log verbosity when retrying connections to the Sysdig collector.

Improved Docker Audits with Mirantis Container Runtime (MCR)

Enhanced Docker audits to skip evaluation when Mirantis Container Runtime (MCR) is detected.

Amazon Kinesis in Agent Local Forwarding

Starting from this release, Amazon Kinesis is available as target integration in Agent Local Forwarding, supporting both Amazon Kinesis Firehose and Amazon Kinesis Data Streams as configurable targets. For more information, see:

Defect Fixes

Fixed an issue where a malformed message shared may lead to backend disconnections.
Fixed metadata retrieval for IBM standalone virtual server instances.
Fixed an issue affecting the detection of incorrect container memory limits.
Fixed a minor memory usage issue in StatsD connection handling.
Fixed exceptions that occurred when the set of block devices present during aggregation changed.
Added support for Kubernetes version 1.29 to 1.32, including updated compliance audit coverage.
Fixed an issue that could cause Host Shield to run unnecessary Vulnerability Management scans after restarts.
Fixed a pipe descriptor leak on Shield restart when Host Scanner or Rapid Response is enabled.
Fixed the skip_events_by_process configuration to skip child processes spawned both before and after the Shield starts. This affects Host Shield version 14.3.x.
Improved Shield support bundle generation.
- Support bundles are now created in the /tmp/ directory.
- Added a compression fallback chain (bzip2 → gzip → uncompressed tar) to ensure bundle collection succeeds when preferred compression tools are unavailable.

Vulnerability Fixes

Addressed the following vulnerabilities:

Known Issues

FIM detection relies on BPF_LINK_CREATE, which is not available on kernel versions earlier than 5.7 or libbpf versions earlier than 0.0.8. When this capability is unavailable, FIM detection will fail to initialize.

Sysdig plans to fix this in an upcoming release.

Workaround

Upgrade the host kernel to version 5.7 or later, upgrade libbpf to version 0.0.8 or later, or temporarily disable the FIM feature before upgrading Shield.

14.3.2 January 15, 2026

Supported sysdig-deploy version: 1.99.7
Supported Falco Engine version: 1000.51
Supported shield chart version: 1.25.4

Defect Fixes

Fixed metadata retrieval in IBM standalone virtual server instances.
Fixed a bug that could cause the Shield to enter an infinite loop when handling the recvmsg and recvmmsg syscalls.

Vulnerability Fixes

Addressed the following vulnerabilities: