A security flaw was found in the Linux kernel where map_write() in kernel/user_namespace.c allows privilege escalation as it mishandles nested user namespaces with more than 5 UID or GID ranges. An unprivileged user with CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace. This is possible because a user/group id transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
An upstream patch:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1652681]
This was fixed for Fedora with the 4.19.2 kernel rebase.
This issue does not affect the Linux kernel versions as shipped with Red Hat Enterprise Linux 5, 6 and 7 because they did not include the commit that introduced this issue.
This issue does not affect Red Hat Enterprise Linux 8 because the fix for this issue has been included since the Red Hat Enterprise Linux 8 release.