CVE-2023-51782: 
Linux Kernel vulnerability analysis and mitigation

A race condition vulnerability (CVE-2023-51782) was discovered in the Linux kernel before version 6.6.8. The issue exists in the rose_ioctl function within net/rose/af_rose.c, which can lead to a use-after-free condition due to a rose_accept race condition (NVD, Kernel Patch).

The vulnerability occurs because rose_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, creating a race condition with rose_accept(). The race condition flow involves rose_ioctl() calling skb_peek() while rose_accept() calls skb_dequeue() followed by kfree_skb(), leading to a use-after-free condition. The issue has been assigned a CVSS v3.1 Base Score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow a local attacker to cause a denial of service (system crash) or potentially execute arbitrary code in the kernel context. This module is not auto-loaded on Debian systems, so the impact is limited to systems where it is explicitly loaded (Debian Advisory).

The vulnerability has been fixed by adding sk->sk_receive_queue.lock to rose_ioctl(). The fix is included in Linux kernel version 6.6.8 and has been backported to various distributions. Users should upgrade their kernel to a patched version (Kernel Patch).