CVE-2024-35915 is a vulnerability identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the nci (NFC Controller Interface) driver. The issue arises in the function nci_rx_work(), which is responsible for parsing and processing received NFC packets. When a packet with a zero-length payload is received, the message type handlers attempt to read from an uninitialized payload buffer. This behavior leads to undefined behavior and is detected by Kernel Memory Sanitizer (KMSAN) as an uninitialized value access. The root cause is that the code does not properly check the payload length before processing, allowing handlers to operate on invalid data. The vulnerability was reported by syzbot, an automated kernel bug-finding tool. The fix involves adding a check to silently discard any packets with zero-size payloads before invoking message handlers, preventing the use of uninitialized memory. This vulnerability affects Linux kernel versions identified by the commit hash 6a2968aaf50c7a22fced77a5e24aa636281efca8, and likely other versions containing the same code pattern. No known exploits are reported in the wild as of the publication date (May 19, 2024). The vulnerability does not have a CVSS score assigned yet. The flaw is a memory safety issue that could potentially lead to kernel crashes or undefined behavior if exploited, but it requires the attacker to send crafted NFC packets to the vulnerable system. The NFC subsystem is typically used in devices with NFC hardware, such as smartphones, embedded devices, and some IoT equipment running Linux.

For European organizations, the impact of CVE-2024-35915 depends largely on their use of Linux systems with NFC capabilities. Enterprises and public sector entities deploying Linux-based devices with NFC—such as access control systems, payment terminals, or embedded IoT devices—could be exposed. Exploitation could lead to kernel instability or denial of service through crafted NFC packets, potentially disrupting critical services or operations. While the vulnerability does not directly imply privilege escalation or remote code execution, the ability to cause kernel memory corruption could be leveraged in complex attack chains. Organizations in sectors like finance, transportation, and government, which may use NFC-enabled Linux devices for secure transactions or identity verification, should be particularly vigilant. The absence of known exploits reduces immediate risk, but the presence of a kernel memory safety flaw warrants prompt patching to prevent future exploitation. Additionally, the vulnerability could be exploited locally or via proximity-based attacks, given NFC's short-range communication nature, which may limit the attack surface but also implies physical proximity is needed.

European organizations should take the following specific steps to mitigate CVE-2024-35915: 1) Identify all Linux systems with NFC hardware and verify the kernel versions in use. 2) Apply the official Linux kernel patches that address this vulnerability as soon as they become available, or upgrade to a kernel version that includes the fix. 3) If immediate patching is not feasible, consider disabling the NFC subsystem or the nci driver temporarily to eliminate the attack vector. 4) Monitor NFC-related logs and kernel messages for unusual or malformed packet activity that could indicate attempted exploitation. 5) Implement physical security controls to restrict unauthorized proximity access to NFC-enabled devices, reducing the risk of crafted packet injection. 6) Coordinate with device vendors and embedded system providers to ensure timely firmware and kernel updates. 7) Incorporate this vulnerability into vulnerability management and incident response plans, emphasizing the need for rapid remediation in NFC-enabled environments.