CVE-2023-2177: 
Linux Kernel vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2023-2177) was discovered in the SCTP network protocol, specifically in the net/sctp/stream_sched.c file of the Linux Kernel. The vulnerability was identified when stream_in allocation fails, causing stream_out to be freed and subsequently accessed, leading to potential system instability (CVE Details).

The vulnerability occurs in the SCTP network protocol implementation when calling sctp_sendmsg without first connecting to the server. When processing INIT_ACK from the server in sctp_process_init(), the system calls sctp_stream_init() to allocate stream_in. If this allocation fails, all stream_out resources are freed in sctp_stream_init's error path, leading to a crash during association freeing when attempting to dequeue data chunks due to missing stream_out (Kernel Commit).

The vulnerability allows local users to crash the system or potentially cause a denial of service condition. When exploited, it can lead to system instability through null pointer dereference (CVE Details).

The issue has been fixed in various Linux distributions through kernel updates. The fix involves moving the error path stream_out/in freeing in sctp_stream_init() to sctp_stream_free(), which is called when freeing the association in sctp_association_free(). This prevents the premature freeing of stream resources (Kernel Commit).