CVE-2023-23455: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-23455 affects the Linux kernel through version 6.1.4, specifically in the atmtcenqueue function within net/sched/schatm.c. The vulnerability was discovered by Kyle Zeng and disclosed in January 2023. The issue stems from a type confusion vulnerability where non-negative numbers can sometimes indicate a TCACT_SHOT condition rather than valid classification results (Kernel Commit, NVD).

The vulnerability occurs in the ATM Virtual Circuits (ATM) network scheduler where classification results are interpreted before checking the classification return code. The issue arises when result >= 0 does not ensure res.class contains valid results, particularly when result indicates the packet should be dropped (TCACTSHOT) while res.class contains invalid data. This leads to a type confusion between different struct types (OSS Security). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows attackers to cause a denial of service condition through type confusion. A proof-of-concept crash report demonstrates the potential for slab-out-of-bounds read operations, which can lead to system crashes (OSS Security).

The vulnerability has been patched in the Linux kernel with commit a2965c7be0522eaa18808684b7b82b248515511b. Various Linux distributions have released security updates to address this issue, including Debian which fixed it in version 5.10.162-1 for the stable distribution (bullseye) (Debian Security).