CVE-2024-35975 is a vulnerability identified in the Linux kernel specifically related to the octeontx2-pf network driver. The vulnerability arises from a resource leak in the transmit scheduler component used for shaping and scheduling network traffic. When a class is created, the network device driver allocates transmit schedulers to manage packet transmission order and bandwidth allocation. A prior patch introduced support for Round Robin scheduling but contained a bug that prevented the driver from properly freeing these transmit scheduler resources when the class was deleted. This results in a resource leak where allocated transmit schedulers remain in memory even after they are no longer needed. Over time, this leak could lead to resource exhaustion on the affected system, potentially degrading network performance or causing instability in the network driver. The vulnerability does not appear to allow direct code execution or privilege escalation, but the improper resource management could be exploited indirectly to cause denial of service conditions or impact system reliability. The issue has been resolved by a patch that ensures transmit schedulers are correctly freed upon class deletion, preventing the resource leak. The vulnerability affects specific versions of the Linux kernel containing the faulty patch, and no known exploits are currently reported in the wild. No CVSS score has been assigned yet, and the vulnerability is categorized as published and recognized by the Linux project and CISA enrichment.

For European organizations, the impact of CVE-2024-35975 primarily concerns network infrastructure stability and reliability. Organizations utilizing Linux-based systems with the octeontx2-pf driver—commonly found in network appliances or servers handling traffic shaping and scheduling—may experience degraded network performance or potential denial of service if the resource leak accumulates over time. This could affect critical services relying on stable network throughput, such as telecommunications providers, data centers, cloud service operators, and enterprises with high network traffic demands. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact could disrupt business operations, especially in sectors requiring high uptime and network reliability. Given the absence of known exploits, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or inadvertent service degradation. European organizations with stringent uptime requirements or those operating critical infrastructure should prioritize patching to maintain service continuity.

To mitigate CVE-2024-35975, European organizations should: 1) Identify Linux systems running kernels with the affected octeontx2-pf driver versions, particularly those involved in network traffic shaping or scheduling. 2) Apply the official Linux kernel patch that fixes the transmit scheduler resource leak as soon as it becomes available in their distribution or vendor kernel updates. 3) Monitor network device driver resource usage and system logs for signs of resource leaks or network performance degradation that could indicate the vulnerability's effects. 4) Implement proactive resource management and capacity planning to detect abnormal resource consumption early. 5) For environments where immediate patching is challenging, consider temporary workarounds such as limiting class creation/deletion frequency or restarting affected network services during maintenance windows to reclaim leaked resources. 6) Maintain up-to-date inventories of network drivers and kernel versions to quickly assess exposure to similar vulnerabilities in the future. These steps go beyond generic advice by focusing on driver-specific monitoring and operational controls tailored to the vulnerability's nature.