CVE-2024-35843 is a vulnerability in the Linux kernel's IOMMU (Input-Output Memory Management Unit) VT-d subsystem, specifically in the I/O page fault (iopf) reporting path. The vulnerability arises from a use-after-free condition due to a race between device lookup and device release. The existing implementation locates PCI devices by scanning the entire PCI device list using pci_get_domain_bus_and_slot(), which is inefficient. To improve performance, the lookup was changed to use device_rbtree_find(), which searches a red-black tree of probed devices. However, this introduced a synchronization issue: the device could be released by the IOMMU subsystem after device_rbtree_find() returns but before iopf_get_dev_fault_param() accesses the device, leading to a use-after-free scenario (CWE-416). This can cause kernel crashes or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the race condition. The fix involves adding a mutex to synchronize the I/O page fault reporting path and the device release path, preventing the device from being freed while still in use. This lock is designed to have minimal performance impact since conflicts are rare. The CVSS v3.1 base score is 6.8 (medium severity), reflecting that the vulnerability requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), no integrity impact (I:N), and high availability impact (A:H). No known exploits are reported in the wild yet.

For European organizations, this vulnerability poses a moderate risk primarily to systems running vulnerable Linux kernel versions with IOMMU VT-d enabled and PCI devices in use. The use-after-free condition can lead to kernel crashes, causing denial of service and potential system instability. In environments where Linux is used for critical infrastructure, cloud services, or virtualization hosts, this could disrupt operations and availability. While the confidentiality impact is limited, the availability impact is high, which is significant for service providers and enterprises relying on Linux-based servers. Attackers with local access could exploit this vulnerability to cause system crashes or potentially escalate privileges if combined with other vulnerabilities. Given the widespread use of Linux in European data centers, telecom infrastructure, and industrial control systems, the vulnerability could affect a broad range of sectors including finance, manufacturing, and government services. However, exploitation requires local access, limiting remote attack vectors. The absence of known exploits reduces immediate risk but patching is important to prevent future attacks.

European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2024-35843. Specifically, ensure that the kernel includes the mutex synchronization in the IOMMU VT-d I/O page fault reporting path. For systems where immediate patching is not feasible, consider the following mitigations: restrict local access to trusted users only, enforce strict access controls and monitoring on systems with IOMMU enabled, and disable VT-d if not required for the workload to reduce attack surface. Additionally, implement kernel crash monitoring and alerting to detect potential exploitation attempts. Organizations should also review their PCI device usage and IOMMU configurations to minimize exposure. Regularly audit and update Linux kernel versions as part of patch management processes. Finally, maintain comprehensive logging and incident response capabilities to quickly identify and respond to any exploitation attempts.