Fixed kernel was released to Debian stable well over a month ago (my logs have it installed on 2/12). So unless you ignore kernel security updates you should already be covered.

Unfortunately, this was almost the same time that the Debian devs also pushed the ill-conceived Nvidia-driver-breaking kernel patch, so I wouldn't be surprised if a lot of people had disabled kernel updates.

This is local privilege escalation only right?

Correct, but it is definitively worth updating for on high-profile systems.

I have not tested it, but because I have included the namespace escape in the exploit for KernelCTF, it may be able to break out of LXC containers and privileged Docker containers running on vulnerable Linux kernels.

if it works for LXC containers shouldn't it also work for unprivileged (but non VM) docker containers?

This is an educated guess, but I believe unprivileged Docker containers cannot create (user) namespaces. Hence, the vulnerability cannot be triggered, since the exploit requires interaction with nf_tables, which requires (namespace) root.

LXC containers and privileged Docker containers allow these namespaces to be made inside of them, whilst unprivileged Docker containers do not.