Discovered and reported by security researcher Juha-Matti Tilli, the security flaw (CVE-2018-5390) could allow a remote attacker to cause a denial of service on affected machines by triggering worst-case code paths in Transmission Control Protocol (TCP) stream reassembly that has low rates using malicious packets. Additionally, the kernel security update released by the Debian Project also patches a security vulnerability (CVE-2018-13405) discovered by Jann Horn in Linux kernel’s inode_init_owner function in fs/inode.c, which could allow local attackers to escalate their privileges by crafting files with unintended group ownership.