CVE-2023-1390: 
Linux Kernel vulnerability analysis and mitigation

A remote denial of service vulnerability (CVE-2023-1390) was discovered in the Linux kernel's TIPC kernel module. The vulnerability was found in versions prior to kernel 5.11-rc4, where the while loop in tipc_link_xmit() encounters an unknown state while attempting to parse SKBs that are not in the queue (NVD, Ubuntu).

The vulnerability occurs in the tipc_link_xmit() function where the buffer list can have zero skb. The issue arises when the function attempts to parse Socket Buffers (SKBs) that are not present in the queue, potentially leading to a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

When exploited, sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system instantly spiking to 100%, causing a denial of service condition. This can effectively render the affected system unresponsive (Ubuntu).

The vulnerability has been fixed in Linux kernel version 5.11-rc4 through a patch that adds additional checks in the tipc_link_xmit() function. The fix includes verifying the packet count before processing and implementing proper validation of the SKB queue. Various Linux distributions have released patches for their respective kernel versions (GitHub Linux).