FFS again?? https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
If you have a modular kernel, blocking loading of modules esp4 and esp6 (IPsec 馃挬) in modprobe.d config should mitigate.
Given that this is the second time, a system-global seccomp filter blocking all splice-type syscalls/syscall-flags would probably be safer.
