CVE-2023-6531: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-6531 is a use-after-free vulnerability discovered in the Linux Kernel, specifically related to a race condition in the unix garbage collector's deletion of SKB (Socket Buffer) that races with unix_stream_read_generic() on the socket that the SKB is queued on. The vulnerability was first reported on December 5, 2023, and affects Linux Kernel versions up to (excluding) 6.7 (NVD).

The vulnerability stems from a race condition where unix_stream_read_generic() assumes that mutex_lock(&u->iolock) protects sk->sk_receive_queue against element removal, so it holds a pointer to an SKB on the sk->sk_receive_queue without any other protection, while scan_inflight() only takes spin_lock(&x->sk_receive_queue.lock) when stealing SKBs from the sk_receive_queue. The issue has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat).

The vulnerability could allow a local attacker to cause a denial of service (system crash) or potentially execute arbitrary code on the affected system. The high severity rating indicates significant potential impact on the confidentiality, integrity, and availability of the system (Ubuntu).

The vulnerability has been fixed in Linux Kernel 6.7-rc5 through a patch that completely disables sending io_uring files via sockets using SCM_RIGHT. This prevents possible cycles involving registered files and eliminates the need for SCM accounting on the io_uring side. Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux 9 through RHSA-2024:2394 (Red Hat Bugzilla).