Basic mitigation
Known exploits for the CVE-2016–5195 vulnerability involve the madvise syscall, so it’s possible to mitigate by excluding the necessary call via a systemd service or container configuration. This is easy with for a systemd unit:
[Service] SystemCallFilter=~madvise
The tilde after the equal sign indicates that this is a blacklist of syscalls.
As with any configuration change, you’ll want to test this out before deploying it. …
Read more at David Timothy Strauss Blog
