CVE-2019-20794: 
Linux Kernel vulnerability analysis and mitigation

CVE-2019-20794 is a vulnerability discovered in the Linux kernel versions 4.18 through 5.6.11 when unprivileged user namespaces are allowed. The vulnerability was disclosed on May 9, 2020, affecting Linux kernel systems that permit unprivileged user namespace operations (Ubuntu Security, NVD).

The vulnerability occurs when a user creates their own PID namespace and mounts a FUSE filesystem. If the userspace component is terminated via a kill of the PID namespace's pid 1, it results in a hung task with FUSE requests going into an Uninterruptible state. The issue specifically manifests in the request_wait_answer function, where resources become permanently locked until system reboot. The vulnerability has been assigned a CVSS score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

The primary impact of this vulnerability is resource exhaustion leading to a denial of service (DoS) condition. When exploited, it causes system resources to be permanently locked up until the system is rebooted, as the FUSE requests remain in an uninterruptible state and the mount namespace cannot be properly torn down (Red Hat Security).

According to the Linux kernel documentation, a mitigation exists where administrators can write to /sys/fs/fuse/connections/NNN/abort once the user namespace is closed. This provides a way to handle hung FUSE connections (Ubuntu Security).