CVE-2023-1074: 
Linux Kernel vulnerability analysis and mitigation

A type confusion flaw (CVE-2023-1074) was discovered in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. The vulnerability was discovered by Pietro Borrello and disclosed on January 23, 2023. The issue affects the Linux kernel's SCTP protocol implementation, specifically in the inet_diag_msg_sctpasoc_fill() function in net/sctp/diag.c (OSS Security).

The vulnerability occurs when a type confused pointer is used to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty. While the list should never be empty, it can become empty when binding an SCTP socket with specific IPv6 configurations and requesting connections with unmatched scopes. The CVSS v3.1 base score for this vulnerability is 4.7 (Medium), with Local attack vector and High attack complexity (NVD).

The type confusion results in a KASLR (Kernel Address Space Layout Randomization) leak since the laddr.v6.sin6_addr is returned from the type confused pointer, which overlaps with struct sctp_endpoint *ep of the struct sctp_association. This could allow a local user to cause a denial of service through resource exhaustion (memory leak) (Ubuntu Security).

The fix was implemented by Marcelo Ricardo Leitner and prevents connections to sockets with unmatched scopes. The patch was merged into the Linux kernel through commit 458e279f861d3f61796894cd158b780765a1569f. The fix has been backported to various Linux distributions including Ubuntu, Red Hat Enterprise Linux, and Debian (Kernel Commit).