CVE-2024-35895 addresses a concurrency vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically related to sockmap and sockhash map element deletion. The vulnerability arises from a lock inversion deadlock scenario triggered when a BPF tracing program deletes elements from these maps in an interrupt context where interrupts are disabled (hardirq context). Normally, BPF tracing programs can be invoked from any interrupt context, but the sockmap locking mechanisms are not designed to be hardirq-safe. The deadlock occurs due to the inversion of lock acquisition order between CPU cores, where one CPU holds a bucket lock and waits for a host lock, while another CPU disables interrupts and attempts to acquire the host lock before the bucket lock, causing a circular wait. This results in a kernel deadlock, potentially freezing affected processes or the entire system. The fix implemented detects when map_delete_elem is called from a hardirq context and prevents the operation by returning an error, thus avoiding the deadlock. Importantly, map updates are not affected by this issue, and the BPF verifier already restricts updates from BPF tracing programs to sockmap/sockhash maps, limiting the attack surface. No known exploits are reported in the wild as of the publication date. This vulnerability is specific to certain Linux kernel versions identified by the commit hash 604326b41a6fb9b4a78b6179335decee0365cd8c and affects systems running these versions or derivatives.

For European organizations, this vulnerability could lead to system instability or denial of service conditions on Linux-based infrastructure that utilizes BPF sockmap or sockhash features, particularly in environments employing advanced network monitoring, tracing, or filtering tools that leverage BPF tracing programs. Critical infrastructure, cloud service providers, telecommunications, and enterprises relying on Linux servers for network functions could experience service interruptions or degraded performance due to kernel deadlocks. Although no direct remote code execution or privilege escalation is indicated, the deadlock can cause availability issues, impacting business continuity and operational reliability. The impact is more pronounced in high-throughput or real-time network environments where BPF is extensively used. Since the vulnerability requires specific kernel versions and certain BPF tracing program behaviors, the scope is somewhat limited but still significant for affected deployments.

European organizations should promptly identify Linux systems running the affected kernel versions and apply the official patches or kernel updates that include the fix for CVE-2024-35895. In environments where immediate patching is not feasible, administrators should audit and restrict the use of BPF tracing programs that perform element deletions on sockmap/sockhash maps, especially those that might be invoked in interrupt contexts. Implementing strict controls on who can load or execute BPF programs can reduce risk. Monitoring kernel logs for lockdep warnings or deadlock symptoms can help detect attempts to trigger this issue. Additionally, organizations should review their kernel configuration and BPF usage policies to ensure that map_delete_elem operations are not performed in hardirq-disabled contexts. Coordination with Linux distribution vendors for timely updates and testing patches in staging environments before production deployment is recommended to avoid regressions.