A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
At this time, there is no known ability for an attacker to use this to abuse this flaw as capabilities are required to process any 'modify' operation.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1844353]
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This was fixed for Fedora with the 5.6.11 stable kernel updates.