CVE-2024-36952 is a vulnerability identified in the Linux kernel's SCSI subsystem, specifically related to the lpfc (LightPulse Fibre Channel) driver handling NPIV (N_Port ID Virtualization) transport unregistration. NPIV allows multiple virtual ports (vports) to share a single physical Fibre Channel port, enabling virtualization of storage area network (SAN) resources. The vulnerability arises due to a race condition during the unregistration process of NPIV vports. When a vport is unregistered, the Linux kernel calls fc_remove_host(), which in turn calls dev_loss_tmo for all destination IDs (D_IDs), including the fabric D_ID. This call removes the last reference to the node list data pointer (ndlp) and frees the associated remote port (rport) object. However, this premature freeing can cause the final DA_ID (Delete All IDs) and LOGO (Logout) Extended Link Service (ELS) commands, which notify the fabric switch of the vport's removal, to be skipped. As a result, the fabric switch may erroneously believe that the NPIV vport remains logged into the fabric, potentially leading to stale or inconsistent state information on the SAN fabric. The fix involves reordering the calls so that fc_remove_host() and scsi_remove_host() are invoked only after the DA_ID and LOGO ELS commands have been successfully sent to the fabric switch, ensuring proper cleanup and synchronization between the host and the fabric. This vulnerability is specific to Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and affects environments using the lpfc driver with NPIV enabled. No known exploits are reported in the wild as of the publication date (May 30, 2024).

The impact of CVE-2024-36952 primarily concerns the integrity and availability of Fibre Channel SAN environments running on Linux systems with the lpfc driver and NPIV enabled. If the fabric switch retains stale NPIV login states due to skipped DA_ID and LOGO commands, it may lead to resource leaks, misrouting of storage traffic, or denial of service conditions on the SAN fabric. For European organizations relying on Linux-based SAN infrastructure for critical storage operations—such as financial institutions, healthcare providers, and large enterprises—this could result in degraded storage performance, increased operational complexity, or temporary loss of access to storage resources. Although this vulnerability does not directly expose confidentiality risks or allow remote code execution, the resulting SAN fabric inconsistencies could disrupt business continuity and complicate incident response. The absence of known exploits reduces immediate risk, but the complexity of SAN environments and the critical nature of storage systems in Europe amplify the importance of timely patching and monitoring.

To mitigate CVE-2024-36952, European organizations should: 1) Apply the official Linux kernel patches that reorder the unregistration sequence to ensure DA_ID and LOGO ELS commands are sent before resource cleanup. This requires updating to a kernel version that includes the fix identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later. 2) Conduct thorough testing of SAN environments after patching to verify that NPIV vport removal behaves correctly and that fabric switches reflect accurate login states. 3) Implement monitoring on SAN fabric switches to detect stale NPIV sessions or unusual login/logout patterns that may indicate incomplete vport removals. 4) Coordinate with SAN fabric vendors to ensure firmware and switch software are up to date and compatible with patched Linux kernels. 5) Document and review NPIV usage policies, limiting NPIV deployment to necessary workloads to reduce attack surface and complexity. 6) Train system administrators on the implications of NPIV and the importance of proper unregistration procedures to prevent operational disruptions.