CVE-2023-45862: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the ENE UB6250 reader driver (drivers/usb/storage/ene_ub6250.c) in the Linux kernel before version 6.2.5. The issue involves an object potentially extending beyond its allocated memory space (Kernel Changelog, NVD).

The vulnerability stems from an insufficient memory allocation in the ENE UB6250 USB card reader driver. The PageBuffer allocation was set to 512 bytes, but the dereferencing of struct msbootblockidi (also 512 bytes) occurs at a calculated offset within the allocation, potentially allowing access beyond the allocated memory. The issue was identified by GCC 13's array bounds checking. The CVSS v3.1 base score is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to a denial of service (DoS) condition when successfully exploited. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in Linux kernel version 6.2.5 by modifying the memory allocation size in the ENE UB6250 driver. The fix involves changing the allocation from kmalloc(MSBYTESPERPAGE) to kzalloc(MSBYTESPERPAGE * 2) to ensure sufficient space for the object (Kernel Commit).