CVE-2023-28327: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability (CVE-2023-28327) was discovered in the UNIX protocol implementation within net/unix/diag.c of the Linux Kernel versions prior to 6.0. The vulnerability was identified in the unix_diag_get_exact function where a newly allocated skb lacks proper sk initialization (Red Hat CVE, Ubuntu Security).

The vulnerability exists in the Linux Kernel's UNIX protocol implementation, specifically in the net/unix/diag.c file. The issue occurs in the unix_diag_get_exact function where a socket buffer (skb) is allocated without proper socket (sk) initialization, leading to a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

This vulnerability allows local users to crash the system or potentially cause a denial of service condition. The impact is limited to availability with no direct effects on confidentiality or integrity of the system (Red Hat Bugzilla).

The vulnerability has been fixed in Linux Kernel version 6.0 and later. Various Linux distributions have released patches for their respective versions. For example, Ubuntu has fixed this in versions 5.15.0-67.74 for 22.04 LTS and 5.4.0-144.161 for 20.04 LTS. Red Hat has addressed this in RHEL 9.0 through security updates RHSA-2023:5603 and RHSA-2023:5604 (Ubuntu Security, Red Hat Errata).