In the Linux kernel through 4.20.10, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
today updates were pushed by upstream that contain the fix:
5.0-r7 seems to be still affected; this shouldn't matter as 5.0 or RC8 might be released within the next days (based on the typical "release cycle").
Kernels prior to 4.10 might be unaffected according to a German news magazine.
With the fix applied the file crypto/af_alg.c must contain inside the
function af_alg_release() the additional line
sock->sk = NULL;
(plus the corresponding curly brackets).
 The fix is inside the commit with the summary "net: crypto set sk to NULL when af_alg_release." respectivly 5.0 commit 9060cb719e61b685ec0102574e10337fa5f445ea.
Stable candidates committed in: