CVE-2024-26627 is a medium-severity vulnerability identified in the Linux kernel's SCSI (Small Computer System Interface) core subsystem. The issue arises from the way the function scsi_eh_wakeup() handles the invocation of scsi_host_busy() while holding a host lock. Specifically, scsi_host_busy() is called and checked under the host lock every time scsi_eh_wakeup() runs to determine if the error handler kernel thread needs to be woken up. This design leads to performance degradation and potential system hard lockups during recovery scenarios involving large numbers of hardware queues (N) and deep queue depths (M). Since scsi_host_busy() iterates over all tag/requests (N*M), repeated calls while holding the host lock cause excessive serialization and iteration, resulting in a hard lockup when acquiring the host lock. This behavior was observed on mpi3mr devices with 128 hardware queues and queue depth of 8169, demonstrating the scalability problem. The fix involves moving the call to scsi_host_busy() outside the host lock, as the host lock does not protect the busy count, thereby reducing lock contention and preventing hard lockups. The vulnerability does not affect confidentiality or integrity but impacts availability by causing system hangs or lockups under heavy SCSI recovery conditions. The CVSS 3.1 score is 5.5 (medium), reflecting the local attack vector, low complexity, low privileges required, no user interaction, and impact limited to availability. No known exploits are reported in the wild as of publication. The affected versions correspond to specific Linux kernel commits prior to the fix dated March 2024.

For European organizations, especially those operating large-scale Linux-based servers or storage systems with high-performance SCSI devices, this vulnerability poses a risk of system unavailability due to hard lockups during error recovery. Data centers, cloud providers, and enterprises relying on Linux servers with multi-queue SCSI hardware could experience service disruptions or downtime, impacting business continuity. The issue is particularly relevant for environments with high I/O workloads and advanced storage controllers (e.g., mpi3mr) that utilize many hardware queues and deep queue depths. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can affect critical infrastructure, financial services, telecommunications, and manufacturing sectors prevalent in Europe. Systems that do not perform frequent SCSI error recovery or have fewer hardware queues may be less affected. The absence of known exploits reduces immediate risk, but the potential for denial-of-service conditions warrants timely patching to maintain operational stability.

European organizations should promptly update their Linux kernels to versions containing the fix for CVE-2024-26627. Specifically, they should apply kernel patches that move the scsi_host_busy() call outside the host lock in the SCSI core. System administrators should audit their environments for Linux servers running affected kernel versions, especially those using high-performance SCSI storage controllers with multiple hardware queues and deep queue depths. Monitoring SCSI error recovery logs and system responsiveness during heavy I/O operations can help detect symptoms of this issue. For environments where immediate patching is challenging, consider temporarily reducing the number of hardware queues or queue depth settings to mitigate the risk of lockups, though this may impact performance. Additionally, implement robust system monitoring and automated reboot or failover mechanisms to minimize downtime in case of lockups. Coordination with hardware vendors for firmware updates or configuration recommendations related to SCSI controllers may also be beneficial.