diff --git a/NEWS b/NEWS
index ac0741d953..a9a2c0e80a 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ Release notes take the form of the following optional categories:
 * Bug fixes
 * Cleanups
 
+Security:
+* make.globals: disable FEATURES="sfperms" by default (bug #938164).
+
 Bug fixes:
 * depgraph: Ignore blockers when computing virtual deps visibility (PR #1387).
 
diff --git a/cnf/make.globals b/cnf/make.globals
index 33e99e9ec3..94eac65684 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -79,8 +79,7 @@ FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs
           config-protect-if-modified distlocks ebuild-locks
           fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict
           network-sandbox news parallel-fetch pkgdir-index-trusted pid-sandbox
-          preserve-libs protect-owned qa-unresolved-soname-deps
-          sandbox sfperms strict
+          preserve-libs protect-owned qa-unresolved-soname-deps sandbox strict
           unknown-features-warn unmerge-logs unmerge-orphans userfetch
           userpriv usersandbox usersync"