CVE-2024-26789 is a high-severity vulnerability found in the Linux kernel's cryptographic implementation for ARM64 architectures using NEON instructions. Specifically, the vulnerability arises in the bit-sliced AES-CTR (Advanced Encryption Standard in Counter mode) implementation. This implementation processes data in 128-byte blocks but falls back to a plain NEON assembly helper for inputs shorter than 128 bytes or for tail blocks. The plain NEON helper performs memory accesses in 16-byte granules, corresponding to the size of NEON registers. To handle inputs shorter than 16 bytes, the code copies data into a temporary buffer to avoid out-of-bounds memory access. However, the fallback mechanism from the bit-sliced NEON version did not replicate this safeguard, leading to potential out-of-bounds memory reads or writes when processing short inputs. This flaw can cause memory corruption, leading to integrity and availability impacts such as crashes or data manipulation. The vulnerability requires local access with low privileges (AV:L/PR:L), does not require user interaction, and affects confidentiality indirectly through integrity and availability impacts. The issue was patched by cloning the workaround used in the plain NEON code to the fallback path, ensuring short inputs are safely copied into temporary buffers. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the specified commit hash, which corresponds to recent kernel versions supporting ARM64 NEON crypto acceleration.

For European organizations, this vulnerability poses a significant risk primarily to systems running Linux on ARM64 hardware that utilize the NEON-accelerated AES-CTR cryptographic functions. Such systems may include embedded devices, IoT infrastructure, ARM-based servers, and potentially mobile or edge computing devices deployed in critical environments. The out-of-bounds access can lead to kernel crashes or memory corruption, resulting in denial of service or potential privilege escalation if exploited in combination with other vulnerabilities. Although the attack vector requires local access with low privileges, compromised or insider users could exploit this flaw to disrupt system integrity or availability. This could impact critical infrastructure, industrial control systems, or cloud services relying on ARM64 Linux hosts. Given the increasing adoption of ARM64 architectures in Europe for energy-efficient data centers and edge deployments, the vulnerability could affect a broad range of sectors including telecommunications, manufacturing, and government services. The lack of known exploits reduces immediate risk, but the high severity score and kernel-level impact necessitate prompt mitigation to avoid potential exploitation as attackers analyze the patch and develop exploits.

European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-26789 as soon as they become available for their specific distributions and kernel versions. For environments using custom or embedded Linux kernels, backporting the patch or upgrading to a fixed kernel version is critical. Additionally, organizations should audit and restrict local access to ARM64 Linux systems to trusted users only, minimizing the risk of local exploitation. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and restricting debug interfaces can further reduce exploitation likelihood. Monitoring system logs for kernel crashes or unusual behavior related to cryptographic operations may help detect attempted exploitation. For high-security environments, consider isolating ARM64 systems or deploying additional runtime integrity monitoring tools. Finally, maintain up-to-date inventories of ARM64 Linux deployments to ensure all affected systems are identified and remediated promptly.