CVE-2024-26723 is a high-severity vulnerability in the Linux kernel affecting the lan966x network driver, specifically when adding an interface under a Link Aggregation Group (LAG) interface. The vulnerability arises due to improper handling of NULL pointers during the iteration over ports associated with the LAG interface. When a lan966x interface is added under a LAG, the kernel code attempts to enumerate all ports to identify which belong to the LAG. However, some ports may not have been probed and thus are represented as NULL pointers. The lack of NULL pointer checks leads to a kernel crash (denial of service) when the code dereferences these NULL pointers. The issue can be reproduced by creating a bond interface (e.g., bond0) with mode balance-xor and adding a lan966x interface (e.g., eth0) as a slave to this bond. The fix implemented involves adding proper NULL pointer checks before accessing port data, preventing the crash. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) due to the crash impact. The CVSS v3.1 base score is 7.8 (high), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, requires low privileges, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date (April 3, 2024).

For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the lan966x driver in environments utilizing Link Aggregation (bonding) for network interfaces. The crash caused by the NULL pointer dereference results in kernel panic or system instability, leading to denial of service. This can disrupt critical network infrastructure, especially in data centers, telecommunications, and enterprise environments relying on bonded interfaces for redundancy and load balancing. The high impact on confidentiality and integrity suggests that the crash could be leveraged in complex attack scenarios to escalate privileges or cause data corruption, although direct exploitation details are limited. Given the prevalence of Linux in European IT infrastructure, including servers, network appliances, and embedded systems, the vulnerability could affect a broad range of sectors such as finance, healthcare, government, and industrial control systems. The requirement for local privileges and low complexity means that insider threats or attackers with limited access could trigger the crash, potentially as part of a larger attack chain. The absence of user interaction simplifies exploitation in controlled environments. Overall, the vulnerability threatens availability and reliability of critical networked systems in Europe.

European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-26723. Specifically, kernel updates that add NULL pointer checks in the lan966x driver should be applied promptly. In environments where immediate patching is not feasible, administrators should consider temporarily disabling the use of lan966x interfaces under LAG configurations or avoid creating bond interfaces with lan966x ports until patched. Network monitoring should be enhanced to detect unusual crashes or reboots related to bonding interfaces. Access controls should be tightened to restrict local user privileges, minimizing the risk of exploitation by low-privilege users. Additionally, organizations should audit their network interface configurations to identify the presence of lan966x devices and bonded interfaces. For embedded or specialized devices using lan966x, vendors should be contacted for firmware updates or mitigations. Implementing kernel crash dump analysis can help in early detection of exploitation attempts. Finally, integrating this vulnerability into vulnerability management and incident response workflows will ensure timely detection and remediation.