A use-after-free flaw was found in the Linux kernel’s netfilter subsystem in how a user triggers the element timeout. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Mitigation

In order to trigger the issue, it requires the ability to create user/net namespaces.

On non-containerized deployments of Red Hat Enterprise Linux 8, you can disable user namespaces by setting user.max_user_namespaces to 0:

echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf

sysctl -p /etc/sysctl.d/userns.conf

On containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled.