CVE-2024-36478 is a vulnerability identified in the Linux kernel's null_blk module, which is a block device driver used primarily for testing and development purposes. The vulnerability arises from a race condition when concurrently writing to the 'power' and 'submit_queues' configuration parameters via configfs. Specifically, concurrent writes to these parameters can lead to a null pointer dereference in the kernel, causing a kernel panic and system crash. The root cause is a lack of proper synchronization between the functions nullb_device_power_store() and nullb_update_nr_hw_queues(), which manipulate shared data structures without adequate locking. This allows del_gendisk() to run concurrently with blk_mq_update_nr_hw_queues(), leading to a use-after-free or null pointer dereference scenario. The vulnerability is reproducible using a test script that rapidly alternates writes to 'submit_queues' and 'power', triggering the kernel panic. The fix involves reusing a global mutex to protect these critical sections, ensuring that concurrent modifications do not corrupt kernel state. This vulnerability affects specific Linux kernel versions identified by the commit hash 45919fbfe1c487c17ea1d198534339a5e8abeae3 and was published on June 21, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, the impact of this vulnerability depends largely on the deployment of affected Linux kernel versions and the use of the null_blk module. While null_blk is primarily a testing and development driver, it is included in many Linux distributions and could be present in development, testing, or specialized environments. Exploitation leads to a kernel panic, causing denial of service (DoS) by crashing the system. This can disrupt critical services, especially in environments relying on Linux servers for infrastructure, cloud services, or embedded systems. Although this vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS can impact availability, potentially affecting business continuity, especially in sectors like finance, healthcare, and critical infrastructure. Since exploitation requires local access and specific interaction with configfs interfaces, remote exploitation is unlikely without prior access. However, insider threats or compromised accounts could trigger this vulnerability. The absence of known exploits reduces immediate risk, but organizations should prioritize patching to prevent future exploitation and maintain system stability.

To mitigate this vulnerability, European organizations should: 1) Identify and inventory Linux systems running affected kernel versions, especially those used for development, testing, or specialized block device functions. 2) Apply the official Linux kernel patches that introduce the global mutex protecting nullb_device_power_store() and nullb_update_nr_hw_queues() as soon as they become available from trusted Linux distribution vendors or upstream kernel sources. 3) Restrict access to configfs interfaces, particularly the null_blk configuration directories, to trusted administrators only, minimizing the risk of unauthorized local exploitation. 4) Implement monitoring and alerting for unusual writes to configfs parameters related to null_blk, which could indicate attempts to trigger the vulnerability. 5) For environments where null_blk is not required, consider disabling or unloading the null_blk kernel module to eliminate the attack surface. 6) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates. 7) Conduct testing in staging environments before deploying patches to production to avoid unintended disruptions.