CVE-2024-35984 is a vulnerability identified in the Linux kernel specifically related to the I2C subsystem's SMBus implementation. The issue arises from a NULL function pointer dereference in the __i2c_transfer function when operating in target-only mode on the designware I2C controller. In this mode, the assumption that a transfer function pointer is always available is broken, leading to a potential kernel OOPS (crash) due to dereferencing a NULL pointer. The vulnerability was reported by a researcher named Baruch and involves the Linux kernel's handling of SMBus transfers when the designware controller is configured as a target-only device. The fix involves adding a check to ensure the function pointer is not NULL before dereferencing it, thereby preventing the kernel crash. Additionally, a simplification in the core-smbus code was dropped to avoid theoretical regressions. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability primarily impacts the stability and availability of systems running affected Linux kernels with the designware I2C controller in target-only mode, potentially causing denial of service through kernel crashes.

For European organizations, the impact of CVE-2024-35984 centers on system availability and reliability. Systems running Linux kernels with the vulnerable designware I2C controller configuration could experience kernel crashes leading to service interruptions or downtime. This is particularly relevant for embedded systems, industrial control systems, IoT devices, and specialized hardware platforms that rely on Linux and use the designware I2C controller in target-only mode. Such systems are common in manufacturing, telecommunications, and critical infrastructure sectors across Europe. While the vulnerability does not appear to allow privilege escalation or data compromise directly, repeated kernel crashes could disrupt operations, cause data loss due to improper shutdowns, and increase maintenance costs. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the flaw, potentially impacting service continuity.

European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-35984. Specifically, kernel maintainers and system administrators should verify if their systems use the designware I2C controller in target-only mode and ensure the kernel version includes the pointer check in __i2c_transfer. For embedded and IoT devices where kernel updates may be less frequent, vendors should be contacted to provide updated firmware or kernel patches. Additionally, organizations should implement monitoring for kernel OOPS or crashes related to I2C operations to detect potential exploitation attempts or accidental triggers. Where feasible, disabling or reconfiguring the designware I2C controller to avoid target-only mode can serve as a temporary mitigation. Finally, thorough testing of kernel updates in controlled environments is recommended to avoid regressions, especially given the dropped simplification in core-smbus code to prevent theoretical regressions.