CloudLinux - CloudLinux Blog - Don’t panic about TCP SACK PANIC—we’re working on it

Don’t panic about TCP SACK PANIC—we’re working on it


Recently, TCP networking vulnerabilities have been discovered in FreeBSD and Linux kernels by Netflix.

There are three flaws, one of them is rated by severity as Important (CVE-2019-11477), and two as Moderate (CVE-2019-11478 and CVE-2019-11479).

What is the problem?

The flaws use the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most dangerous—TCP SACK PANIC allows a remote attacker to trigger kernel panic on Linux kernels. You can find the detail description here.

When the CloudLinux OS 6 & 7 kernels will be patched?

We are going to release patches with the fix for TCP SACK PANIC vulnerabilities for CloudLinux OS 6 & 7 to Beta tomorrow, to Stable upcoming Monday.

How to mitigate?

Red Hat specialists propose two mitigation options for CVE-2019-11477 and CVE-2019-11478 flaws: ”disable the vulnerable component, or use iptables to drop connections with an MSS size”. You can find the details here (Resolve tab, Mitigation section).


Modern UI and improved usability: now the updated...
EasyApache 4 updated

By accepting you will be accessing a service provided by a third-party external to

EU e-Privacy Directive

This website uses cookies to ensure you get the best experience using our website and services. If you prefer we don’t use cookies, please disable them in your browser.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.