CVE-2023-6535: 
Linux Kernel vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel's NVMe driver that allows an unauthenticated malicious actor to send crafted TCP packages when using NVMe over TCP, leading to a NULL pointer dereference in the nvmet_tcp_execute_request function in the NVMe driver, causing kernel panic and denial of service. The vulnerability was assigned CVE-2023-6535 and has a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The vulnerability exists in the NVMe-oF/TCP subsystem of the Linux kernel where an attacker can send specially crafted NVMe-oF/TCP packets that trigger a NULL pointer dereference in the nvmet_tcp_execute_request function. The issue has been assigned CWE-476 (NULL Pointer Dereference) classification (Red Hat Bugzilla).

When successfully exploited, this vulnerability can lead to a kernel panic resulting in a denial of service (DoS) condition on the affected system. The attack can be executed remotely by an unauthenticated attacker (NetApp Advisory).

The vulnerability has been fixed in multiple Linux distributions through security updates. Red Hat has released fixes in RHSA-2024:0723, RHSA-2024:0724, RHSA-2024:0725, and other subsequent updates. Debian has addressed this in version 5.10.209-2~deb10u1. Users are advised to update their systems with the latest available kernel patches (Red Hat Errata, Debian LTS).