Jonathon Reinhart

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel, where `tcp allowed congestion control` is global and writable, allowing writes to it in any net namespace to leak into all other net namespaces. This is because `tcp available congestion control` and `tcp allowed congestion control` are the only sysctls in `ipv4 net table` with a NULL data pointer, and their handlers have no other way of referencing a `struct net`, thus operating globally. The intent of the commit was only to know which congestion algorithms are available or allowed, and making these entries read-only should be sufficient. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `tcp set default congestion control()` function in the Linux kernel, which has an unintended side-effect of changing the global `net.ipv4.tcp allowed congestion control` sysctl, despite being read-only. This is due to the function setting `ca->flags |= TCP CONG NON RESTRICTED`, which is not namespaced. The restriction could be removed if `tcp allowed congestion control` were namespace-ified in the future. The bug was uncovered with the help of a tool available at https://github.com/JonathonReinhart/linux-netns-sysctl-verify. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.