CVE-2024-35122 is a vulnerability affecting IBM i operating system versions 7.2, 7.3, 7.4, and 7.5. The issue stems from an incorrect privilege assignment (CWE-266) related to the handling of referential constraints at the file level. Specifically, a local non-privileged user can exploit insufficient authority requirements to configure a referential constraint using the privileges of another user who has been socially engineered to access the target file. This results in a local denial of service (DoS) condition at the file level, where the attacker can disrupt access or operations on the file by leveraging elevated privileges indirectly. The vulnerability requires local access, low complexity in terms of attack conditions, and some user interaction (social engineering) to succeed. The CVSS v3.1 base score is 2.8, indicating a low severity primarily because the impact is limited to availability (denial of service) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability highlights a privilege management flaw where the system does not adequately verify authority when setting referential constraints, allowing privilege escalation through social engineering and local access.

For European organizations using IBM i systems in versions 7.2 through 7.5, this vulnerability could lead to localized denial of service conditions on critical files. While the impact on confidentiality and integrity is negligible, availability disruptions can affect business-critical applications relying on these files, potentially causing operational delays or downtime. Industries such as finance, manufacturing, and logistics that depend on IBM i for transaction processing and data management could face interruptions. The requirement for local access and social engineering reduces the likelihood of widespread exploitation but does not eliminate risk, especially in environments with many users or where insider threats exist. Organizations with less mature internal security awareness programs may be more vulnerable to the social engineering component. Given the low CVSS score, the threat is not urgent but should be addressed to maintain system reliability and prevent potential escalation or chaining with other vulnerabilities.

1. Implement strict access controls and monitoring on IBM i systems to limit local user privileges and detect unusual configuration changes related to referential constraints. 2. Enhance user awareness and training programs to reduce the risk of social engineering attacks that could enable privilege misuse. 3. Regularly audit file permissions and referential constraint configurations to identify and remediate improper privilege assignments. 4. Apply the latest IBM i security updates and patches as they become available, even though no patch link is currently provided, monitor IBM security advisories closely. 5. Employ multi-factor authentication and session monitoring for users with access to critical files to reduce the risk of unauthorized privilege use. 6. Consider implementing application-level controls or logging to detect and respond to abnormal file access patterns that may indicate exploitation attempts.