CVE-2024-36967 is a vulnerability identified in the Linux kernel specifically related to the TPM2 (Trusted Platform Module 2) key encoding functionality within the 'trusted' keys subsystem. The issue is a memory leak caused by the failure to free allocated memory named 'scratch' in the function tpm2_key_encode(). Both success and error execution paths neglected to call kfree() on this memory, leading to a persistent memory leak. This flaw does not appear to directly allow code execution, privilege escalation, or information disclosure, but the leak of kernel memory could degrade system performance or stability over time, especially on systems that frequently use TPM2 key encoding operations. The vulnerability affects multiple versions of the Linux kernel identified by the commit hash f2219745250f388edacabe6cca73654131c67d0a. The issue was reserved on May 30, 2024, and published on June 8, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned. The fix involves ensuring that the allocated memory is properly freed in all code paths by calling kfree(), preventing the leak. This vulnerability is primarily a resource management bug within the kernel's TPM2 key handling code and does not directly compromise confidentiality or integrity but can affect availability through resource exhaustion if exploited at scale.

For European organizations, the impact of CVE-2024-36967 is generally low to medium depending on the deployment scale and usage of TPM2 features. Organizations using Linux servers or devices with TPM2 support that perform frequent key encoding operations may experience gradual degradation of system performance or stability due to memory leaks. This could lead to increased system crashes or reboots if memory exhaustion occurs, impacting availability of critical services. However, since the vulnerability does not enable privilege escalation or direct data compromise, the confidentiality and integrity of systems are not immediately at risk. The impact is more operational, potentially affecting uptime and requiring more frequent maintenance or reboots. Organizations with high-security environments relying on TPM2 for hardware-based security may need to prioritize patching to maintain system reliability. Given the lack of known exploits, the immediate risk is low, but unpatched systems could become targets if attackers develop methods to exploit the leak for denial-of-service or other indirect attacks.

European organizations should apply the Linux kernel patch that fixes the memory leak in tpm2_key_encode() as soon as it becomes available from their Linux distribution vendors. Since this is a kernel-level issue, updating to the latest stable kernel version containing the fix is the most effective mitigation. Organizations should also monitor their systems for unusual memory usage patterns or increased crashes related to TPM2 operations. For environments with TPM2-dependent applications, consider implementing resource monitoring and automated alerts to detect early signs of memory exhaustion. Additionally, organizations should review their TPM2 usage to minimize unnecessary key encoding operations until the patch is applied. Testing kernel updates in staging environments before production deployment is recommended to ensure compatibility. Finally, maintain regular system and kernel updates as part of a robust patch management process to prevent exploitation of similar vulnerabilities.