CVE-2024-35954 is a vulnerability in the Linux kernel's SCSI generic (sg) driver subsystem. The flaw arises from a race condition during the teardown of sg devices, specifically in the function sg_remove_sfp_usercontext(). The vulnerability occurs because sg_remove_sfp_usercontext() improperly calls sg_device_destroy() after invoking scsi_device_put(). The scsi_device_put() function releases the last reference to the parent scsi_device, which results in the request_queue pointer of the scsi_device being set to NULL. Subsequently, sg_device_destroy() attempts to access this now NULL request_queue pointer, leading to a NULL pointer dereference. This causes the Linux kernel to crash, resulting in a denial of service (DoS) condition. The affected code paths are within the Linux kernel versions identified by specific commit hashes, indicating that the vulnerability affects certain recent kernel builds prior to the patch. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability is technical in nature, involving kernel memory management and device lifecycle handling, and requires local code execution context to trigger the race condition and kernel crash.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the SCSI generic driver enabled. The impact is a potential denial of service through kernel crashes, which can disrupt critical services, especially in data centers, cloud infrastructures, and enterprise environments relying on Linux servers for storage and compute workloads. Systems that handle SCSI devices, such as SAN storage arrays or virtualized environments using SCSI emulation, are particularly at risk. The disruption could affect availability of services, leading to operational downtime and potential financial losses. While this vulnerability does not directly lead to privilege escalation or data leakage, the induced kernel panic could be exploited by attackers to cause persistent service interruptions. European organizations with high reliance on Linux-based infrastructure, including telecommunications, finance, and public sector entities, could face increased operational risks if patches are not applied promptly.

To mitigate this vulnerability, organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2024-35954. Since the vulnerability involves a race condition in kernel device teardown, applying the official Linux kernel patch is the most effective measure. Until patches are applied, organizations should limit access to systems running vulnerable kernels to trusted users only, as exploitation requires local code execution. Monitoring kernel logs for unexpected crashes or oops messages related to sg devices can help detect attempted exploitation. Additionally, disabling or unloading the sg driver module on systems where SCSI generic device support is not required can reduce the attack surface. For virtualized environments, ensure hypervisor and guest OS kernels are updated, as the vulnerability could impact virtual SCSI devices. Regular kernel updates and adherence to security best practices for Linux system hardening will further reduce risk.