CVE-2023-46862: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-46862 is a vulnerability discovered in the Linux kernel through version 6.5.9, identified on October 29, 2023. The vulnerability involves a NULL pointer dereference that can occur in the io_uring/fdinfo.c io_uring_show_fdinfo function during a race condition with SQ thread exit (NVD, Kernel Bugzilla).

The vulnerability stems from a race condition in the io_uring subsystem where a NULL pointer dereference can occur when accessing the sq->thread information. The issue arises due to missing locking mechanisms when referencing io_sq_data in io_uring_show_fdinfo. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium), with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a denial of service (system crash) through a NULL pointer dereference. The impact is limited to local attacks and requires low privileges to execute (Ubuntu Security).

The vulnerability has been fixed through a patch that implements proper locking of the SQ thread while retrieving thread CPU/PID information. The fix involves grabbing the SQPOLL data lock before attempting to access task CPU and PID information for fdinfo, ensuring a stable view of the thread state (GitHub Patch). Multiple Linux distributions have released updates to address this vulnerability, including Ubuntu and Debian (Debian LTS).