CVE-2023-6176: 
Linux Kernel vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2023-6176) was discovered in the Linux kernel API's cryptographic algorithm scatterwalk functionality. The vulnerability was disclosed on November 16, 2023, affecting the Linux kernel's TLS subsystem. The issue specifically impacts Linux kernel systems where users can construct malicious packets with specific socket configurations (NVD, Ubuntu).

The vulnerability occurs when a user constructs a malicious packet with specific socket configuration that triggers the scatterwalk_copychunks function. When exploited, the calculated address becomes an invalid kernel address (0xdffffc0000000001), which when accessed causes a kernel panic. The issue has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Red Hat Bugzilla).

When successfully exploited, this vulnerability allows a local user to either crash the system (denial of service) or potentially escalate their privileges on the system. The primary impact is on system availability through kernel panic (NVD).

The vulnerability has been fixed in various Linux distributions through security updates. Red Hat has addressed this in RHSA-2024:2394 for RHEL 9 and RHSA-2024:2950 for RHEL 8. Ubuntu has also released fixes for affected versions. The fix involves preventing the freeing of record information during asynchronous encryption operations (Kernel Commit).