CVE-2024-26598 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem for the ARM64 architecture, specifically within the virtual Generic Interrupt Controller's Interrupt Translation Service (vgic-its) component. The vulnerability arises from a race condition involving the LPI (Locality-specific Peripheral Interrupt) translation cache. When there is a cache hit in the LPI translation cache concurrent with an operation that invalidates the cache—such as a DISCARD ITS command—the function vgic_its_check_cache() fails to properly increment the reference count on the vgic_irq object before releasing the lock that serializes reference count changes. This improper handling can lead to a use-after-free scenario where the vgic_irq object is accessed after it has been freed, potentially causing memory corruption. The root cause is the lack of reference count elevation in vgic_its_check_cache(), which the patch addresses by adding the necessary increment before returning the vgic_irq and a corresponding decrement after queuing the interrupt. Exploiting this vulnerability could allow a local attacker with limited privileges (PR:L) to escalate privileges or cause denial of service by corrupting kernel memory. The CVSS 3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No known exploits are reported in the wild as of the publication date (February 23, 2024).

For European organizations, this vulnerability poses a significant risk especially to those relying on ARM64-based Linux systems running KVM virtualization. The potential for privilege escalation or kernel memory corruption could lead to unauthorized access to sensitive data, disruption of critical services, or compromise of virtualized environments. Organizations in sectors such as finance, telecommunications, cloud service providers, and government agencies that deploy ARM64 servers or edge computing infrastructure are particularly at risk. The vulnerability could be leveraged to bypass security controls, affecting confidentiality and integrity of data, and potentially causing system crashes or denial of service, impacting availability. Given the increasing adoption of ARM64 architectures in data centers and embedded systems across Europe, the threat surface is expanding. The absence of known exploits currently provides a window for proactive patching and mitigation before active exploitation occurs.

European organizations should prioritize updating their Linux kernel versions to include the patch that addresses CVE-2024-26598. Since the vulnerability affects the KVM subsystem on ARM64, organizations should: 1) Identify all ARM64-based Linux hosts running KVM virtualization; 2) Apply vendor-provided kernel updates or backported patches promptly; 3) If immediate patching is not feasible, consider disabling KVM virtualization on ARM64 hosts temporarily to reduce attack surface; 4) Implement strict access controls to limit local user privileges, as exploitation requires local access with limited privileges; 5) Monitor system logs and kernel messages for unusual behavior or crashes related to vgic-its operations; 6) Employ runtime security tools capable of detecting memory corruption or anomalous kernel activity; 7) Engage with hardware and software vendors to confirm patch availability and deployment status; 8) For cloud environments, coordinate with providers to ensure underlying infrastructure is patched; 9) Conduct security audits focusing on ARM64 virtualization hosts to verify compliance and patch status. These steps go beyond generic advice by focusing on ARM64 KVM environments and emphasizing local privilege restriction and monitoring.