CVE-2023-6536: 
Linux Kernel vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel's NVMe driver (CVE-2023-6536) that was disclosed on February 7, 2024. The vulnerability affects Linux kernel versions from 5.0 up to versions before 5.4.268, 5.10.209, 5.15.148, and 6.1.75. This security issue allows an unauthenticated malicious actor to send crafted TCP packages when using NVMe over TCP, leading to a NULL pointer dereference in the NVMe driver (NVD, Debian Tracker).

The vulnerability is a NULL pointer dereference that occurs in the __nvmet_req_complete function of the NVMe driver when processing NVMe over TCP packets. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (Red Hat).

When successfully exploited, this vulnerability can cause a kernel panic leading to a denial of service (DoS) condition on the affected system. The impact is limited to system availability, with no direct impact on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in multiple Linux kernel versions and distributions. Red Hat has released security updates through various advisories including RHSA-2024:0723, RHSA-2024:0724, and RHSA-2024:0725. Debian has addressed this in version 5.10.209-2~deb10u1. Users are advised to update their systems to the patched versions (Red Hat, Debian LTS).