CVE-2023-6932: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-6932) was discovered in the Linux kernel's IPv4 IGMP (Internet Group Management Protocol) component. The vulnerability was disclosed on December 19, 2023, affecting Linux kernel versions from 2.6.12 up to (excluding) 6.7. The issue stems from a race condition that can be exploited to cause a timer to be mistakenly registered on an RCU read locked object which is freed by another thread (NVD, Debian).

The vulnerability occurs due to a race condition in the IGMP implementation where a timer can be mistakenly registered on an RCU read locked object. The issue manifests when a device receives an IGMPv2 Query message and starts the timer immediately, regardless of whether the device is running. If the device is down and has left the multicast group, it causes a reference counting use-after-free issue. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) by NVD with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to achieve local privilege escalation. When successfully exploited, it could lead to denial of service (system crash), memory corruption, or potential arbitrary code execution with elevated privileges (Ubuntu).

The vulnerability has been fixed in Linux kernel commit e2b706c691905fe78468c361aaabc719d0a496f1. Various Linux distributions have released patches for their respective versions. For example, Debian has fixed this in version 4.19.304-1 for Debian 10 and 5.10.205-2 for other versions. Ubuntu has also released fixes across multiple kernel versions. Users are recommended to upgrade their kernel to a patched version (Debian, Kernel Patch).