CVE-2024-26671 is a vulnerability identified in the Linux kernel's block multi-queue (blk-mq) subsystem, which is responsible for managing IO requests efficiently across multiple queues. The flaw arises from a race condition in the blk_mq_mark_tag_wait() function, where the call to __add_wait_queue() can be reordered relative to blk_mq_get_driver_tag() when the system fails to obtain a driver tag. This reordering can cause the __sbitmap_queue_wake_up() function to miss the newly added waiter in the wait queue, resulting in no wake-up signal being sent. Consequently, blk_mq_mark_tag_wait() fails to acquire the driver tag successfully, leading to IO operations hanging. The issue has been demonstrated to cause hangs in fio IO testing within 30 minutes on a test virtual machine. The root cause is a lack of proper memory barriers to enforce ordering between these operations. The fix involves adding an explicit memory barrier in blk_mq_mark_tag_wait() to prevent the reordering and ensure proper wake-up signaling when tags are exhausted. This vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and potentially other versions with similar blk-mq implementations. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, especially those utilizing blk-mq for high-performance storage IO operations. The impact manifests as IO hangs, which can degrade system availability and performance, potentially causing service interruptions in critical infrastructure, cloud services, and data centers relying on Linux-based storage servers. Organizations with high IO workloads, such as financial institutions, telecommunications providers, and cloud service operators, may experience operational disruptions. While this vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant, especially in environments requiring high uptime and reliability. The lack of known exploits reduces immediate risk, but the potential for denial-of-service conditions through IO hangs warrants prompt attention. European organizations with virtualized environments or heavy use of fio or similar IO testing tools may also be more likely to detect or be affected by this issue.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions that include the patch fixing the blk-mq race condition. Kernel updates should be tested and deployed promptly, especially on systems handling critical IO workloads. Additionally, organizations should monitor IO performance and system logs for signs of IO hangs or blk-mq related errors. For environments where immediate patching is not feasible, reducing IO concurrency or adjusting blk-mq queue parameters to limit contention may help reduce the likelihood of triggering the race condition. System administrators should also review and harden their kernel update processes to ensure timely application of security patches. Finally, incorporating this vulnerability into vulnerability management and incident response plans will help prepare for potential exploitation scenarios.