CVE-2023-2860: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-2860 is an out-of-bounds read vulnerability discovered in the SR-IPv6 implementation of the Linux kernel. The vulnerability was reported on August 23, 2022, and publicly disclosed on May 17, 2023. The flaw specifically exists within the processing of seg6 attributes, affecting Linux kernel versions up to 5.19.19 and various release candidates of version 6.0 (NVD, ZDI).

The vulnerability stems from improper validation of user-supplied data during the processing of seg6 attributes in the IPv6 Segment Routing implementation. This validation issue can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating local access requirements and high privileges needed for exploitation (ZDI).

The vulnerability allows privileged local users to disclose sensitive information, specifically kernel memory, on affected installations of the Linux kernel. While the direct impact is limited to information disclosure, an attacker could potentially leverage this vulnerability in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel (ZDI).

Linux has issued an update to correct this vulnerability through a patch that can be found at https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=84a53580c5d2. Various Linux distributions have also released security updates to address this vulnerability (ZDI).