CVE-2020-14386 log

Severity High
Remote No
Type Privilege escalation
A memory corruption flaw was found in the Linux kernel before 5.9-rc4  in net/packet/af_packet.c. A local attacker with CAP_NET_RAW privileges can exploit this vulnerability to gain root privileges from unprivileged processes.
Group Package Affected Fixed Severity Status Ticket
AVG-1237 linux-hardened 5.7.19.a-1 5.8.a-1 High Fixed
AVG-1224 linux-zen 5.8.7.zen1-1 5.8.8.zen1-1 High Fixed
AVG-1223 linux-lts 5.4.63-1 5.4.64-1 High Fixed
AVG-1222 linux 5.8.7.arch1-1 5.8.8.arch1-1 High Fixed
Mitigation: If unprivileged user namespaces are not needed, set the kernel.unprivileged_userns_clone sysctl to 0:

$ sudo sysctl kernel.unprivileged_userns_clone=0

This prevents straight forward exploitation, however the vulnerability can still be triggered by an attacker by gaining code execution to an unprivileged processes that has the CAP_NET_RAW capability set and the system does not restrict the capability.