CVE-2024-35955 is a high-severity use-after-free vulnerability in the Linux kernel's kprobes subsystem, which allows dynamic kernel instrumentation. The issue arises during the unloading of kernel modules, where the module's state transitions from MODULE_STATE_LIVE to MODULE_STATE_GOING and finally to MODULE_STATE_UNFORMED. The vulnerability is due to improper handling of module state changes when checking if an address belongs to a module's text section. Specifically, the functions is_module_text_address() and __module_text_address() are used separately, leading to a race condition where the module state can change to MODULE_STATE_UNFORMED between these calls. This causes __module_text_address() to fail, but the failure is ignored under the assumption that the address is kernel text. Consequently, arm_kprobe() may attempt to modify a non-existent module text address, resulting in a use-after-free condition. Exploiting this flaw could allow an attacker with local privileges (PR:L) to execute arbitrary code in kernel space, leading to full system compromise. The vulnerability does not require user interaction and can be exploited remotely only if local access is obtained. The fix involves consolidating the address checks into a single __module_text_address() call and using try_module_get(module) to ensure the module is in MODULE_STATE_LIVE during the operation, preventing the use-after-free scenario. The CVSS v3.1 score is 8.8, reflecting the critical impact on confidentiality, integrity, and availability due to potential kernel-level code execution and system control.

For European organizations, this vulnerability poses a significant risk as Linux is widely used in servers, cloud infrastructure, embedded systems, and critical industrial environments. Successful exploitation could lead to privilege escalation, allowing attackers to gain kernel-level control, bypass security mechanisms, and potentially deploy persistent malware or ransomware. This could disrupt essential services, compromise sensitive data, and impact operational continuity. Organizations relying on Linux-based infrastructure for web hosting, cloud services, or industrial control systems could face severe operational and reputational damage. Additionally, sectors such as finance, healthcare, and government, which often use hardened Linux environments, could be targeted for espionage or sabotage. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for patching given the high severity and ease of exploitation by local attackers.

European organizations should prioritize applying the official Linux kernel patches that address this vulnerability as soon as they become available. Until patched, they should restrict local access to trusted users only, implement strict access controls, and monitor for suspicious kernel module loading/unloading activities. Employing kernel integrity monitoring tools and enabling security modules like SELinux or AppArmor can help detect anomalous behavior. Additionally, organizations should audit and limit the use of kprobes and other dynamic instrumentation tools to reduce the attack surface. For environments where immediate patching is not feasible, consider isolating critical systems and employing virtualization or containerization to contain potential exploitation impacts. Regularly updating and hardening Linux systems, combined with comprehensive logging and alerting on kernel events, will enhance detection and response capabilities.