CVE-2023-32247: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability (CVE-2023-32247) was discovered in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The flaw exists within the handling of SMB2SESSIONSETUP commands and results from the lack of control of resource consumption. The vulnerability was reported on April 27, 2023, and publicly disclosed on May 17, 2023. The issue affects Linux kernel versions prior to 6.4-rc1 with ksmbd enabled (ZDI Advisory, NVD).

The vulnerability stems from improper handling of session setup requests in the KSMBD implementation. It has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The issue has been classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (ZDI Advisory, Red Hat Bugzilla).

An attacker can leverage this vulnerability to create a denial-of-service condition on the system through memory exhaustion. The attack can be executed remotely without requiring authentication, potentially leading to system unavailability (ZDI Advisory).

Linux has issued an update to correct this vulnerability in kernel version 6.4-rc1. The fix can be found in the upstream commit ea174a91893956450510945a0c5d1a10b5323656. Various Linux distributions have also released patches for their respective versions (ZDI Advisory, Red Hat Bugzilla).