diff --git a/defaults/main.yml b/defaults/main.yml
index 6f70a1e2..2e7d097f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -228,6 +228,10 @@ security_sysctl_enable_tcp_syncookies: yes        # V-38539
 # change.
 security_disable_ipv6: no                         # V-38546
 
+# Sets the global challenge ACK counter to a large value such
+# that a potential attacker could not reasonably come up against it.
+security_set_tcp_challenge_ack_limit: yes    # CVE-2016-5696
+
 ## Mail
 # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
 # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
diff --git a/doc/source/developer-notes/CVE-2016-5696.rst b/doc/source/developer-notes/CVE-2016-5696.rst
new file mode 100644
index 00000000..261fd668
--- /dev/null
+++ b/doc/source/developer-notes/CVE-2016-5696.rst
@@ -0,0 +1,11 @@
+This task in the security role will set the global challenge ACK counter
+to a large value to protect systems for a vulnerability in TCP stack
+implementation of the Linux kernel (`CVE-2016-5696`_).
+
+To opt-out of this change, adjust the following variable:
+
+.. code-block:: yaml
+
+    security_set_tcp_challenge_ack_limit: no
+
+.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
index 096e0b1c..4b0653f5 100644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@@ -184,3 +184,15 @@
     - kernel
     - cat2
     - V-38524
+
+- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
+  sysctl:
+    name: net.ipv4.tcp_challenge_ack_limit
+    value: 1073741823
+    state: present
+    sysctl_set: yes
+  when: security_set_tcp_challenge_ack_limit | bool
+  tags:
+    - kernel
+    - cat3
+    - CVE-2016-5696