CVE-2024-26918 addresses a vulnerability in the Linux kernel related to the handling of PCI Power Management Event (PME) polling, specifically involving devices managed by runtime power management (PM). The issue stems from an incorrect assumption introduced in a prior commit that runtime PM managed devices must be in the RPM_ACTIVE state to allow PME polling. In reality, only devices in low power states should be polled. The vulnerability arises because the device configuration space must be accessible during polling, which depends not only on the device's power state but also on the power state of its parent PCI bridge. The prior code assumed the bridge remains in the fully powered D0 state, but cases were observed where the bridge was in RPM_SUSPENDING state (D3hot), making the device's config space inaccessible during pci_pme_wakeup(). This leads to failures in scanning downstream devices, such as NVMe endpoints behind Thunderbolt/USB4 bridges in low power states. The fix formalizes the requirement that the parent bridge must be in the RPM_ACTIVE state during polling by elevating the PM usage count to maintain this state, preventing the regression and ensuring proper device enumeration and wake-up functionality. The vulnerability does not directly expose confidentiality or integrity risks but impacts system availability by causing device enumeration failures and potentially disrupting device wake-up sequences. The CVSS 3.1 score is 6.2 (medium severity), reflecting a local attack vector with low complexity, no privileges required, and no user interaction, but causing high impact on availability.

For European organizations, this vulnerability could affect systems running Linux kernels with the affected versions, especially those utilizing Thunderbolt or USB4 interfaces with NVMe storage devices connected downstream of PCI bridges. The impact primarily concerns availability and operational stability, as devices may fail to be properly enumerated or woken from low power states, potentially leading to hardware inaccessibility or degraded system performance. This can disrupt critical workflows in sectors relying on high-performance storage and peripheral connectivity, such as financial services, research institutions, and industrial automation. While the vulnerability does not directly compromise data confidentiality or integrity, the resulting device failures could cause downtime or data access interruptions. Organizations with extensive Linux deployments in server, workstation, or embedded environments should be aware of this issue, particularly where power management and device hot-plugging are integral to operations.

To mitigate CVE-2024-26918, European organizations should: 1) Apply the official Linux kernel patches that address this issue as soon as they become available from trusted sources or distributions. 2) For environments where immediate patching is not feasible, consider disabling runtime power management on affected PCI bridges or devices as a temporary workaround to prevent devices from entering low power states that trigger the issue. 3) Monitor system logs for PCI enumeration errors or device wake-up failures, especially in systems using Thunderbolt or USB4 with NVMe endpoints, to detect potential manifestations of the vulnerability. 4) Validate and test power management configurations in controlled environments to ensure that device scanning and wake-up sequences function correctly post-patching. 5) Coordinate with hardware vendors to confirm compatibility and firmware updates that may complement kernel fixes. 6) Maintain up-to-date inventory of Linux kernel versions and affected hardware to prioritize patch deployment and risk assessment.