CVE-2024-35952 is a vulnerability identified in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the ast driver component responsible for managing certain display hardware. The issue arises in the function ast_dp_set_on_off(), which contains a while-loop that can lead to an infinite loop condition. This infinite loop occurs because the function polls a register named VGACRI-Dx, which is a scratch register controlled not by the host CPU but by a microcontroller unit (MCU) called DPMCU located in the Baseboard Management Controller (BMC). The DPMCU manages DisplayPort (DP) link training and related handshake processes with the host's VGA driver. These scratch registers are protected by a synchronization lock called scu-lock. If the scu-lock is not released (i.e., remains engaged), the DPMCU cannot update the VGACRI-Dx register, causing the host to wait indefinitely for a status update that never arrives. This results in a soft lockup, where the CPU is stuck in the loop, unable to proceed with normal operations. The DP link training process typically completes within 100 milliseconds, and a 200-millisecond timeout should be sufficient under normal conditions. However, due to the locking issue, this timeout is effectively bypassed, causing the system to hang. This vulnerability affects Linux kernel versions identified by the given commit hashes and has been publicly disclosed as of May 20, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected ast DRM driver, particularly those utilizing hardware that relies on the DPMCU-controlled DisplayPort functionality. The soft lockup can cause system hangs or degraded availability, impacting critical infrastructure, servers, or workstations that depend on stable graphical output or remote management via BMC. In environments such as data centers, telecommunications, and industrial control systems where Linux-based servers and embedded devices are prevalent, this could lead to operational disruptions. Although the vulnerability does not appear to allow privilege escalation or direct data compromise, the denial-of-service condition could interrupt business-critical applications, leading to downtime and potential financial loss. The absence of known exploits reduces immediate risk, but the vulnerability's nature suggests that attackers with local access or the ability to trigger the affected code path could cause system instability. This is particularly relevant for European sectors with stringent uptime requirements, such as finance, healthcare, and public services.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where the ast driver has been patched to fix the infinite loop condition. Since the issue involves synchronization with the scu-lock and DPMCU updates, kernel patches that correctly manage lock states and implement appropriate timeouts should be applied promptly. Organizations should audit their hardware inventory to identify systems using the affected ast DRM driver and verify if their kernel versions are vulnerable. For systems where immediate patching is not feasible, administrators can consider disabling or limiting the use of the ast driver or related DisplayPort features if possible, to reduce exposure. Monitoring system logs for signs of soft lockups or unusual GPU driver behavior can help detect attempts to trigger the vulnerability. Additionally, ensuring that BMC firmware is up to date and properly configured may help prevent lock contention issues. Implementing robust access controls to restrict local user access and limiting untrusted code execution on affected systems will reduce the risk of exploitation. Finally, organizations should maintain regular backups and have incident response plans ready to address potential system outages caused by this vulnerability.