CVE-2023-39197: 
Linux Kernel vulnerability analysis and mitigation

An out-of-bounds read vulnerability was discovered in the Netfilter Connection Tracking (conntrack) component of the Linux kernel, identified as CVE-2023-39197. The vulnerability was discovered by Eric Dumazet and was first reported on June 28, 2023. This security flaw affects Linux kernel versions from 2.6.26 up to versions before 5.4.251, 5.10.188, 5.15.121, and 6.1.39 (NVD, Ubuntu Security).

The vulnerability is classified as an out-of-bounds read issue in the DCCP protocol handling within the Netfilter Connection Tracking subsystem. The flaw occurs when the kernel does not properly handle DCCP conntrack buffers in certain situations. It has been assigned a CVSS v3.1 base score of 7.5 (High) by NIST and 4.0 (Medium) by Red Hat, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows remote attackers to disclose sensitive information from kernel memory through the DCCP protocol. This information disclosure could potentially expose sensitive system data to unauthorized users (CVE Mitre, Ubuntu Security).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 5.15.0-86.96 (22.04 LTS), 5.4.0-166.183 (20.04 LTS), and 4.15.0-223.235 (18.04 LTS). Debian has also released fixes in versions 5.10.234-1 for bullseye and 6.1.128-1 for bookworm. The vulnerability was fixed in the mainline kernel with version 6.5-rc1 (Debian Tracker, Ubuntu Security).