CVE-2023-6040: 
Linux Kernel vulnerability analysis and mitigation

An out-of-bounds access vulnerability (CVE-2023-6040) was discovered in the Linux kernel's netfilter subsystem. The vulnerability was reported by Lin Ma from Ant Security Light-Year Lab and was fixed in the Linux kernel version 5.18-rc1. The issue affects upstream stable kernel versions 5.4.y, 5.10.y, and 5.15.y. The vulnerability stems from a lack of safeguard against invalid nf_tables family (pf) values within the nf_tables_newtable function during the creation of new netfilter tables (OSS Security).

The vulnerability manifests as an out-of-bounds access issue in two specific locations: 1) In the xt_find_target function within x_tables.c, where the xt array can be dereferenced without a boundary check, allowing an attacker to fake xt_af data, and 2) In the nf_logger_find_get function within nf_log.c, where the pf parameter is used as an index on the loggers global array containing struct nf_logger members. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability enables an attacker to achieve out-of-bounds access to kernel memory. Through this access, an attacker could potentially fake struct nf_logger data and use invalid pf values to dereference adjacent global data, potentially leading to privilege escalation, information disclosure, or system compromise (OSS Security).

The primary mitigation is to disable unprivileged user namespaces. For temporary mitigation, administrators can execute 'sudo sysctl -w kernel.unprivileged_userns_clone=0'. For permanent mitigation across reboots, add 'kernel.unprivileged_userns_clone=0' to /etc/sysctl.d/99-disable-unpriv-userns.conf. The vulnerability has been fixed in Linux kernel version 5.18-rc1 and later, and patches are available for affected stable versions (OSS Security).