CVE-2024-26775 is a concurrency vulnerability in the Linux kernel related to the handling of locks within the aoe (ATA over Ethernet) subsystem, specifically involving the set_capacity() function. The vulnerability arises from a potential deadlock scenario caused by improper lock ordering and interrupt unsafe locking. The issue occurs when the function set_capacity() is called while holding the bdev->bd_size_lock, and concurrently, other kernel threads attempt to acquire locks in an order that leads to circular dependencies. The deadlock sequence involves two locks: &d->lock and &bdev->bd_size_lock. The problematic lock acquisition order is as follows: one CPU holds bdev->bd_size_lock and tries to acquire d->lock, while another CPU holds d->lock and tries to acquire bdev->bd_size_lock, resulting in a circular wait and deadlock. The root cause is that set_capacity() is called inside a critical section protected by &d->lock, which leads to this lock dependency cycle. The fix involves moving the set_capacity() call outside the section protected by &d->lock, effectively breaking the lock dependency chain and preventing the deadlock. This vulnerability is specific to certain Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. No known exploits are reported in the wild as of the publication date. The vulnerability primarily affects systems using the aoe block device driver, which is used for network storage solutions over Ethernet. The issue is a classic kernel-level concurrency bug that can cause system hangs or freezes due to deadlock, impacting system availability.

For European organizations, the impact of CVE-2024-26775 can be significant in environments that rely on Linux servers using the aoe block device for networked storage. Deadlocks in the kernel can cause system hangs, leading to denial of service conditions on critical infrastructure such as storage servers, virtualization hosts, or cloud platforms. This can disrupt business operations, data availability, and service continuity. Organizations in sectors like finance, telecommunications, healthcare, and government that depend on high-availability Linux-based storage solutions may face operational risks. Although the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be severe, especially in clustered or high-demand storage environments. Since the vulnerability requires kernel-level code execution context, it is less likely to be exploited remotely without prior access, but insider threats or compromised systems could trigger the deadlock. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the deadlock, potentially causing outages.

European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2024-26775. Specifically, they should ensure that their kernel version incorporates the fix that moves the set_capacity() call outside the critical section protected by &d->lock. System administrators should audit their use of the aoe block device driver and consider disabling or replacing it if not required. For environments where aoe is critical, thorough testing of kernel updates in staging environments is recommended to confirm stability. Monitoring system logs for kernel deadlock symptoms and implementing alerting for unusual kernel lock contention can provide early warning. Additionally, organizations should enforce strict access controls and minimize the attack surface by limiting who can execute code or commands that interact with kernel block devices. Employing kernel live patching solutions where available can reduce downtime during patch deployment. Finally, maintaining robust backup and recovery procedures will mitigate the impact of any unexpected outages caused by this or similar kernel issues.