Host Shield for Linux Release Notes

Welcome to the release notes for Sysdig Host Shield for Linux.

Deprecation Notice

Support Ending

Starting with version 14.3.0, Legacy eBPF is deprecated and it will be unsupported after December 4, 2026.
Future releases will no longer introduce new features for Legacy eBPF.
To ensure continued feature support and compatibility, we strongly recommend migrating to:
- Universal eBPF, or
- Kernel Module on environments running kernels older than version 5.8
For more information, see the full Drivers documentation.
Secure Mode is now deprecated and will be permanently retired on December 4, 2026. To ensure continued support and benefit from improved performance, migrate to Secure_Light mode. This mode offers enhanced efficiency and is the long-term supported option moving forward.
See the deprecation policy for more details.

14.5.1 April 15, 2026

Supported shield chart version: 2.7.2
Supported sysdig-deploy version: 1.109.6
Supported Falco Engine version: 1000.55.0

Enhancements

Reduced File Descriptor Path Logging Verbosity

Reduced log verbosity when resolving file descriptor paths.

Defect Fixes

Erroneous socket events caused file descriptor tables to grow, potentially leading to unbounded memory usage.
Fixed an issue in Host Posture in which Linux host benchmark checks produced duplicate sysctl values, causing incorrect false-positive posture results.
Fixed an issue in which Host Posture sent requests incompatible with on-premises installations earlier than version 7.7.0, preventing scans from being scheduled.
Fixed an issue in which Host Posture sent duplicated results for the same host, preventing host posture evaluation from completing.
Fixed an issue causing the agent to stop unexpectedly when running with observations enabled.
Fixed an issue where the legacy_ebpf driver would not load on Oracle Linux version 8.

Vulnerability Fixes

14.5.0 March 31, 2026

Supported shield chart version: 1.33.0
Supported sysdig-deploy version: 1.108.0
Supported Falco Engine version: 1000.55.0

Enhancements

Local Scanning for Kubernetes Container Workloads

Sysdig now supports local scanning of vulnerabilities for Kubernetes container workloads by using Host Shield image scanning on each node. This improves coverage for more complex environments, without relying solely on registry or agentless scanning paths. For more information, see Local Scanning.

Reduced Agent Log Noise

Downgraded a recurring warning message in agent logs to Debug level. The message had no impact on functionality and required no action.

Reduced Log Noise for Unresolvable Thread Entries

Reduced the severity of a log message that could appear frequently in agent logs and cause unnecessary concern and log rotation. The message, which indicated a thread without a resolvable main process, required no action and has been moved to Debug level to avoid surfacing as a warning during normal operations.

Improved Handling of Delayed Container Events

Improved processing of delayed container events to ensure they are handled correctly when they arrive after their expected time.

Defect Fixes

Fixed Prometheus exporter logging to prevent INFO-level messages from being reported as errors.
Fixed a bug where the baseliner does not respect the pause time after being stopped.
Resolved an issue where the kmod driver could exit unexpectedly under high load on large machines (48+ cores).
Fixed a pipe descriptor leak on shield restart when you enable Host Scanner or Rapid Response.
Fixed a segmentation fault and subsequent agent restart that was triggered when initiating a capture with a filter containing a plugin field.
Updated tests to include an additional subprocess required by the shield.
Fixed a race condition during Secure Policies reload that could cause the Host Shield to stop unexpectedly.
Resolved a bug causing backend exceptions and agent disconnections due to invalid protobuf payloads.
Fixed an issue where the container_image_tag metric label displayed an incorrect value when the container image reference included a registry port.
Fixed an issue where installing Host Shield using system packages failed on SUSE Linux Enterprise Server (SLES) 16 and Red Hat Enterprise Linux (RHEL) 10.

Vulnerability Fixes

Addressed the following vulnerabilities:

14.4.1 March 12, 2026

Supported sysdig-deploy version: 1.106.1
Supported Falco Engine version: 1000.52
Supported shield chart version: 1.30.2

Enhancements

Improved Handling of Delayed Container Events

Improved processing of delayed container events to ensure they are handled correctly when they arrive after their expected time.

Defect Fixes

Fixed an issue in Host Scanner Vulnerability Management where packages could fail to be detected on: Amazon Linux, EulerOS, Talos, and minimal or hardened Alpine variants.

Vulnerability Fixes

Addressed the following vulnerabilities:

14.4.0 February 17, 2026

Supported sysdig-deploy version: 1.103.0
Supported Falco Engine version: 1000.52
Supported shield chart version: 1.28.0

Enhancements

Sysdig Host Shield Key Stored in Memory

Host Shield can now load the access key from the SYSDIG_HOST_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY operating system environment variable. The access key will be stored in memory only and will not be written to disk.

Reduced Collector Connection Log Verbosity

Reduced error log verbosity when retrying connections to the Sysdig collector.

Improved Docker Audits with Mirantis Container Runtime (MCR)

Enhanced Docker audits to skip evaluation when Mirantis Container Runtime (MCR) is detected.

Amazon Kinesis in Agent Local Forwarding

Starting from this release, Amazon Kinesis is available as target integration in Agent Local Forwarding, supporting both Amazon Kinesis Firehose and Amazon Kinesis Data Streams as configurable targets. For more information, see:

Defect Fixes

Fixed an issue where a malformed message shared may lead to backend disconnections.
Fixed metadata retrieval for IBM standalone virtual server instances.
Fixed an issue affecting the detection of incorrect container memory limits.
Fixed a minor memory usage issue in StatsD connection handling.
Fixed exceptions that occurred when the set of block devices present during aggregation changed.
Added support for Kubernetes version 1.29 to 1.32, including updated compliance audit coverage.
Fixed an issue that could cause Host Shield to run unnecessary Vulnerability Management scans after restarts.
Fixed a pipe descriptor leak on Shield restart when Host Scanner or Rapid Response is enabled.
Fixed the skip_events_by_process configuration to skip child processes spawned both before and after the Shield starts. This affects Host Shield version 14.3.x.
Improved Shield support bundle generation.
- Support bundles are now created in the /tmp/ directory.
- Added a compression fallback chain (bzip2 → gzip → uncompressed tar) to ensure bundle collection succeeds when preferred compression tools are unavailable.

Vulnerability Fixes

Addressed the following vulnerabilities:

Known Issues

FIM detection relies on BPF_LINK_CREATE, which is not available on kernel versions earlier than 5.7 or libbpf versions earlier than 0.0.8. When this capability is unavailable, FIM detection will fail to initialize.

Sysdig plans to fix this in an upcoming release.

Workaround

Upgrade the host kernel to version 5.7 or later, upgrade libbpf to version 0.0.8 or later, or temporarily disable the FIM feature before upgrading Shield.

14.3.2 January 15, 2026

Supported sysdig-deploy version: 1.99.7
Supported Falco Engine version: 1000.51
Supported shield chart version: 1.25.4

Defect Fixes

Fixed metadata retrieval in IBM standalone virtual server instances.
Fixed a bug that could cause the Shield to enter an infinite loop when handling the recvmsg and recvmmsg syscalls.

Vulnerability Fixes

Addressed the following vulnerabilities: