SACK Panic: What is it, and is it actually time to panic?

SACK Panic: What is it, and is it actually time to panic?

Security Published on 2 mins Last updated

Four closely related vulnerabilities regarding TCP handling in the Linux and FreeBSD kernels were publicly disclosed on 17 June 2019.

Dubbed as “SACK Panic”, the main vulnerability can cause a Linux operating system to crash under specific conditions.

UPDATE: recommend that you update to v8.3.8 or contact support for the workaround details — to avoid this potential Denial of Service vulnerability.

Who is vulnerable?

The SACK Panic vulnerability affects all Linux kernels from version 2.6.29 onward. That kernel was released back in 2009, which means this vulnerability has existed for a decade without any known issues or exploits arising in the wild. appliances from version 6 onward are affected.

FreeBSD 12 systems are also vulnerable to one of the lesser SACK vulnerabilities which causes excessive CPU usage.

Why “Panic”?

The name SACK Panic is a reference to the kernel panic at the heart of the main vulnerability. Equivalent to the “Blue Screen of Death” in Windows land, a kernel panic happens when the operating system encounters an unrecoverable fatal system error. A system reboot is required to recover.

Contrary to the main vulnerability's name, we don't think there's any need to immediately panic. This issue has been around for over 10 years, and no known proof of concept currently exists to exploit it.

System administrators should take a responsible and measured approach, as with any vulnerability, and aim to apply all fixes as OS maintainers and device manufacturers roll out updates.

Is a fix available?


Thanks to responsible disclosure and the power of free and open-source software, Linux kernel fixes are already available. We have been busy testing the fixed kernel for stability, and have rolled it into our 8.3.8 product update, which is available now.

If you have specific worries or concerns, or are not able to update to version 8.3.8 to get the fix, then contact our support team,, who can assist with a temporary workaround (the SACK option can be completely disabled if needed).

What exactly causes the vulnerability?

SACK Panic, the most serious of the four vulnerabilities, can, under specific circumstances, cause a kernel panic and crash a Linux operating system. The Linux TCP/IP stack uses a data structure known as a socket buffer, which is designed to hold up to 17 fragments of TCP packet data. A vulnerable kernel can be made to exceed the 17 fragment limit, which causes a kernel panic and crashes the system.

What even is SACK?

SACK stands for selective acknowledgement. It’s a clever, optional TCP extension, first defined back in 1996, and currently supported in all commonly used TCP stacks.

SACK provides a mechanism to enable the receiving end of a TCP connection to precisely specify which parts of the connection, if any, were not correctly received and require re-sending. This is a particularly big boon for connections with high amounts of delay, as it allows all of the connection's bandwidth to be used effectively.

Where can I find more information?

Some great, detailed technical explanations of all four SACK vulnerabilities have been published by Netflix, which can be found here, as well as by Red Hat, which can be found here.

Alternatively, you can contact us if you require further information.