CVE-2023-28772: 
Linux Kernel vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in the Linux kernel before version 5.13.3, specifically in the seqbufputmemhex function within lib/seqbuf.c. The vulnerability was disclosed on March 23, 2023, and affects various Linux kernel versions prior to 5.13.3 (NVD, MITRE).

The vulnerability stems from an incorrect buffer handling in the seqbufputmemhex function. There are two variables being increased in the loop (i and j), where i follows the raw data, and j follows what is being written into the buffer. The original code mistakenly compared the wrong variable to HEXCHARS, which could lead to buffer overflow if j exceeded HEX_CHARS (Linux Commit, Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 6.7 MEDIUM with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability requires local access and high privileges to exploit (NetApp Advisory).

The vulnerability was fixed in Linux kernel version 5.13.3. The fix involves correcting the buffer size comparison in seqbufputmemhex function by comparing i to MAXMEMHEXBYTES instead of comparing with HEXCHARS (Linux Commit). Users are advised to upgrade to Linux kernel version 5.13.3 or later to address this vulnerability.