CVE-2023-46343: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-46343 is a vulnerability in the Linux kernel before version 6.5.9, specifically affecting the NFC Controller Interface (NCI) implementation. The vulnerability involves a NULL pointer dereference in the send_acknowledge function located in net/nfc/nci/spi.c. This issue was discovered by 黄思聪 and was publicly disclosed in January 2024 (NVD).

The vulnerability stems from improper handling of memory allocation failure in the sendacknowledge function. When nciskballoc() (which calls allocskb()) fails, it returns NULL, but the code did not properly check for this condition before dereferencing the pointer. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash (denial of service) when triggered by a local attacker. The NULL pointer dereference occurs in the NFC subsystem's SPI implementation, which could affect systems using NFC functionality (Ubuntu).

The vulnerability has been fixed in Linux kernel version 6.5.9 and later. The fix involves adding a proper NULL pointer check after the nciskballoc() call and returning -ENOMEM in case of allocation failure. Users should upgrade to kernel version 6.5.9 or later to mitigate this vulnerability (Kernel Patch).