Skip to main content
  1. Blog
  2. Article

Canonical
on 5 July 2019

Ubuntu updates for TCP SACK Panic vulnerabilities

14.04 16.04 18.04 ESM Extended Security Maintenance livepatch sack panic Security TCP Sack Panic Trusty Tahr

Issues have been identified in the way the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. These TCP SACK Panic vulnerabilities could expose servers to a denial of service attack, so it is crucial to have systems patched.

Updated versions of the Linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users.

It is recommended to update to the latest kernel packages and consult Ubuntu Security Notices for further updates.

Ubuntu Advantage for Infrastructure subscription customers can find the latest status information in our Knowledge Base and file a support case with Canonical support for any additional questions or concerns around SACK Panic.

Canonical’s Kernel Livepatch updates for security vulnerabilities related to TCP SACK processing in the Linux kernel have been released and are described by CVEs 2019-11477 and 2019-11478, with details of the patch available in LSN-0052-1.

These CVEs have a Livepatch fix available, however, a minimum kernel version is required for Livepatch to install the fix as denoted by the table in LSN-0052-1, reproduced here:

| Kernel                   | Version | flavors           |
|--------------------------+----------+--------------------------|
| 4.4.0-148.174            | 52.3 | generic, lowlatency      |
| 4.4.0-150.176            | 52.3 | generic, lowlatency      |
| 4.15.0-50.54             | 52.3 | generic, lowlatency      |
| 4.15.0-50.54~16.04.1     | 52.3 | generic, lowlatency      |
| 4.15.0-51.55             | 52.3 | generic, lowlatency      |
| 4.15.0-51.55~16.04.1     | 52.3 | generic, lowlatency      |

Livepatch fixes for CVEs 2019-11477 and 2019-11478 are not available for prior kernels, and an upgrade and reboot to the appropriate minimum version is necessary. These kernel versions correspond to the availability of mitigations for the MDS series of CVEs (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091).

Additionally, a third SACK related issue, CVE-2019-11479, does not have a Livepatch fix available because it is not technically feasible to apply the changes via Livepatch. Mitigation information is available at the Ubuntu Security Team Wiki.

If you have any questions and want to learn more about these patches, please do not hesitate to get in touch.

Related posts

Luci Stanescu
8 May 2026

Dirty Frag Linux kernel local privilege escalation vulnerability mitigations

Ubuntu Article

Two local privilege escalation (LPE) vulnerabilities affecting the Linux kernel have been publicly disclosed on May 7, 2026. One of the vulnerabilities has been assigned the ID: CVE-2026-43284. The other CVE ID is pending. Both are referred to as “Dirty Frag.” The affected components are Linux kernel modules. The first vulnerability impac ...

Luci Stanescu
30 April 2026

Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability

Ubuntu Article

A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on April 29, 2026. The vulnerability has been assigned CVE ID CVE-2026-31431 and is referred to as Copy Fail. The affected component is a kernel module that provides hardware-accelerated cryptographic functions: algif_aead. The vulnerab ...

Luci Stanescu
12 March 2026

AppArmor vulnerability fixes available

Ubuntu Article

Qualys discovered several vulnerabilities in the AppArmor code of the Linux kernel. These are being referred to as CrackArmor, while CVE IDs are in the process of being assigned by the Linux Kernel CVE Numbering Authority. There are eleven patches for the nine vulnerabilities and each patch is assigned a CVE IDs: CVE-2026-23268, CVE-2026- ...