CVE-2024-35977 is a vulnerability identified in the Linux kernel specifically affecting the Chrome OS embedded controller UART driver (cros_ec_uart). The root cause is a race condition in the cros_ec_uart_probe() function where the sequence of operations leads to a NULL pointer dereference. The function devm_serdev_device_open() is called before serdev_device_set_client_ops(), which means the serdev_device's ops pointer is not yet initialized when the system assumes it is valid. This results in a kernel crash due to dereferencing a NULL pointer in serdev_controller_receive_buf(), which expects serdev->ops->receive_buf to be valid if the SERPORT_ACTIVE flag is set. An earlier attempt to fix a similar race condition (commit 01f95d42b8f4) inadvertently widened the window for this race condition to occur. The current fix ensures that the device client operations are fully set up before calling devm_serdev_device_open(), thus preventing the race condition and the resulting kernel NULL pointer dereference. This vulnerability can cause system instability or denial of service (DoS) by crashing the kernel when the race condition is triggered. It affects Linux kernel versions containing the faulty commit and is particularly relevant to Chrome OS devices using this embedded controller UART driver. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of denial of service through kernel crashes on affected Linux systems, especially those running Chrome OS or Linux distributions that include the vulnerable cros_ec_uart driver. Organizations relying on Chrome OS devices for endpoint computing or embedded Linux systems with this driver could experience unexpected system reboots or downtime, impacting productivity and operational continuity. While this vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting kernel panic could be exploited in targeted denial-of-service attacks, potentially disrupting critical services or user environments. Given the widespread use of Linux in enterprise servers, embedded devices, and IoT systems, the impact could extend to infrastructure stability if affected devices are deployed in critical roles. However, the scope is somewhat limited to systems using this specific driver and kernel version. The absence of known exploits reduces immediate risk but does not eliminate the need for timely patching to prevent future exploitation attempts.

European organizations should prioritize updating their Linux kernel to versions where this race condition is fixed, ensuring that the cros_ec_uart_probe() function fully initializes client operations before opening the serdev device. Specifically, they should track and apply kernel patches that address commit 01f95d42b8f4 and subsequent fixes related to this issue. For Chrome OS deployments, administrators should apply official Chrome OS updates that include this fix. Additionally, organizations should audit their device inventory to identify systems running affected kernel versions with the cros_ec_uart driver enabled. Where immediate patching is not feasible, mitigating controls include limiting access to vulnerable devices, monitoring kernel logs for signs of NULL pointer dereferences or crashes related to serdev devices, and implementing robust system restart and recovery procedures to minimize downtime. Testing updates in controlled environments before wide deployment is recommended to avoid regressions. Finally, maintain vigilance for any emerging exploit reports or security advisories related to this vulnerability.