Skip to content

OSG-SEC-2020-09-22 CVE-2020-14386 Memory corruption in kernel on EL8

Dear OSG Security Contacts,

A memory corruption vulnerability described in CVE-2020-14386 [1] has been found in some versions of the Linux kernel that can result in privilege escalation. Specifically, this affects EL8 systems; RHEL 7 and CentOS 7 are not affected.

The OSG Security team considers this vulnerability to be HIGH severity.


Red Hat Enterprise Linux 8, CentOS 8


A memory corruption vulnerability [2] exists in code related to handling AF_PACKET sockets. An unprivileged user on systems where unprivileged user namespaces are enabled, such as EL8 systems, can acquire the CAP_NET_RAW capability to create AF_PACKET sockets and trigger this memory corruption, potentially leading to privilege escalation.


A patched kernel is not yet available. The Red Hat security announcement [3] recommends disabling the CAP_NET_RAW capability for regular users and executables as a mitigation.

Additionally, the OSG Security team recommends disabling network namespaces when unprivileged user namespaces are enabled [4]:

echo "user.max_net_namespaces = 0" \
    > /etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_net_namespaces.conf

Note that docker uses network namespaces, unless it is invoked with --net=host.

Unprivileged user namespaces are enabled by default on EL8. If you are not using unprivileged user namespaces (for example for singularity), you can also mitigate this issue by disabling them:

echo "user.max_user_namespaces = 0" \
    > /etc/sysctl.d/90-max_user_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_user_namespaces.conf






Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team