A flaw was found in the Linux kernel. A local attacker, able to inject conntrack netlink configuration, could overflow a local buffer causing crashes or triggering the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Mitigation

To mitigate this issue, prevent module nf_conntrack_netlink from being loaded. Please see <https://access.redhat.com/solutions/41278&gt; for how to blacklist a kernel module to prevent it from loading automatically.

Alternatively, if nf_conntrack_netlink is being used, on Red Hat Enterprise Linux 8, you can disable unprivileged user namespaces by setting user.max_user_namespaces to 0:

echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf

sysctl -p /etc/sysctl.d/userns.conf