CVE-2024-35917 is a vulnerability identified in the Linux kernel specifically affecting the s390 architecture (IBM Z mainframe systems). The issue arises from a subtle bug in the Berkeley Packet Filter (BPF) implementation related to pointer arithmetic in the bpf_plt (procedure linkage table) code. The root cause is a violation of the C standard in the way pointers are subtracted, which misleads the GCC compiler's alias analysis. This results in the compiler reordering instructions such that memcpy() is moved after certain pointer assignments, causing NULL pointers to be written instead of valid return and target addresses. The practical effect is a crash triggered by the dummy_st_ops/dummy_init_ptr_arg test on s390x systems. The vulnerability is due to the compiler assuming that pointers point to different objects and thus allowing reordering, but the code's pointer arithmetic violates the C standard's requirement that pointers involved in subtraction must belong to the same array object. The fix involves hardcoding offsets rather than relying on pointer arithmetic that violates the standard, thereby preventing the compiler from misoptimizing the code. This vulnerability is specific to the s390 architecture and the BPF subsystem, which is used for packet filtering and tracing within the kernel. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability was responsibly disclosed and fixed promptly in the Linux kernel source.

For European organizations running Linux on s390 architecture systems—primarily large enterprises, financial institutions, and government agencies using IBM Z mainframes—this vulnerability could cause system crashes or instability when executing BPF-related operations. While it does not directly lead to privilege escalation or code execution, the resulting kernel crashes could cause denial of service conditions, impacting availability of critical services. Given that s390 systems are often used in high-availability environments for transaction processing, any downtime could have significant operational and financial consequences. However, the impact is limited to organizations using this specific architecture and kernel feature. Most European organizations running Linux on x86 or ARM architectures are not affected. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental crashes triggered by malformed BPF programs or tests.

European organizations using Linux on s390 systems should promptly apply the official Linux kernel patches that fix CVE-2024-35917. Since the vulnerability stems from compiler optimizations and pointer arithmetic, updating to the fixed kernel version is the most effective mitigation. Additionally, organizations should audit their use of BPF programs on s390 systems and restrict untrusted or unnecessary BPF code execution to reduce risk. Implementing kernel live patching where supported can minimize downtime during patch deployment. Monitoring system logs for unusual BPF-related crashes can help detect attempts to trigger this vulnerability. For environments where patching is delayed, consider disabling or limiting BPF functionality on s390 systems if feasible, though this may impact functionality. Finally, ensure that development and build environments use updated compilers that do not reorder instructions incorrectly in similar contexts.