CVE-2024-35857 is a medium-severity vulnerability identified in the Linux kernel's ICMP (Internet Control Message Protocol) implementation. The flaw arises due to improper handling of NULL pointers within the icmp_build_probe() function. Specifically, the vulnerability involves a double call to the __in_dev_get_rcu() function, where the second call can return NULL but is not properly checked before dereferencing. This leads to a potential NULL pointer dereference when accessing dev->ip6_ptr without verifying its validity. The problematic code snippets include conditional checks that do not adequately confirm the presence of valid pointers before usage, such as if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) and if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)). The root cause is a misuse of Read-Copy-Update (RCU) APIs, which are critical for safe concurrent access in the kernel. The fix involves using the correct RCU API calls and adding necessary NULL checks to prevent dereferencing invalid pointers, thereby avoiding kernel crashes or denial of service conditions. This vulnerability is classified under CWE-476 (NULL Pointer Dereference) and has a CVSS v3.1 base score of 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), but the impact is limited to availability (A:L) with no confidentiality or integrity loss. No known exploits are reported in the wild at the time of publication. The vulnerability affects specific Linux kernel versions identified by commit hashes, and the patch includes adding missing includes and correcting RCU API usage.

For European organizations, this vulnerability primarily poses a risk of denial of service (DoS) due to potential kernel crashes triggered by crafted ICMP packets. Systems running vulnerable Linux kernel versions could be forced to reboot or become unresponsive, disrupting critical services, especially in environments relying heavily on Linux servers, network appliances, or embedded devices. While the vulnerability does not compromise confidentiality or integrity, availability impacts can affect business continuity, particularly for sectors like finance, telecommunications, healthcare, and public infrastructure that depend on stable Linux-based systems. The network-exploitable nature means attackers can trigger the issue remotely without authentication, increasing the risk surface. However, the medium severity and absence of known exploits reduce immediate threat urgency. Still, organizations with exposed Linux systems should prioritize patching to prevent potential DoS attacks that could degrade service levels or cause operational interruptions.

European organizations should implement the following specific mitigations: 1) Identify and inventory all Linux systems, including servers, network devices, and embedded systems, to determine if they run affected kernel versions. 2) Apply the official Linux kernel patches that address CVE-2024-35857 as soon as they become available, ensuring the correct RCU API usage and NULL pointer checks are incorporated. 3) For systems where immediate patching is not feasible, consider implementing network-level filtering to block or rate-limit ICMP traffic, especially ICMP probe packets, to reduce exposure to exploit attempts. 4) Monitor system logs and kernel messages for signs of crashes or unusual ICMP traffic patterns that could indicate exploitation attempts. 5) Employ intrusion detection systems (IDS) or network anomaly detection tools configured to alert on suspicious ICMP activity. 6) Maintain up-to-date backups and recovery plans to minimize downtime in case of DoS incidents. 7) Engage with Linux distribution vendors for timely updates and advisories relevant to this vulnerability. These steps go beyond generic advice by focusing on network traffic controls, monitoring, and vendor coordination tailored to this ICMP-related kernel flaw.