CVE-2024-40904 is a vulnerability identified in the Linux kernel's USB subsystem, specifically within the cdc-wdm driver which handles USB CDC (Communications Device Class) WDM (Wireless Device Management) devices. The issue was discovered through fuzz testing by syzbot, which revealed that the interrupt-URB (USB Request Block) completion callback in the cdc-wdm driver could cause a CPU lockup. This occurs because the driver immediately resubmits interrupt URBs with a -EPROTO status code, which combined with dummy-hcd emulation, leads to excessive logging of error messages. The logging itself is time-consuming and results in a soft lockup where the CPU is stuck in a high utilization state (approximately 98% system CPU usage) for extended periods (e.g., 26 seconds), effectively freezing the system. The root cause is the unthrottled dev_err() calls that flood the kernel log with thousands of error messages per second, causing the CPU to be overwhelmed. The fix implemented involves replacing these dev_err() calls with dev_err_ratelimited(), which rate-limits the error messages and prevents the CPU lockup by reducing the logging overhead. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using the cdc-wdm driver, which is common in devices that manage cellular modems and other wireless communication hardware over USB. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-40904 can be significant in environments where Linux systems interface with cellular modems or wireless communication devices via USB, such as in telecommunications infrastructure, IoT gateways, industrial control systems, and mobile network equipment. A CPU lockup can lead to system unavailability, disrupting critical services and operations. This could affect network reliability, data transmission, and device management, potentially causing downtime in sectors like telecommunications, manufacturing, transportation, and public services. The lockup does not appear to allow privilege escalation or direct data compromise but impacts system availability and stability, which can have cascading effects on business continuity and operational technology environments. Given the widespread use of Linux in servers, embedded systems, and network devices across Europe, failure to patch this vulnerability could expose organizations to denial-of-service conditions triggered by USB device interactions or fuzzing attacks targeting the cdc-wdm driver.

European organizations should prioritize updating their Linux kernels to versions that include the patch replacing dev_err() with dev_err_ratelimited() in the cdc-wdm driver. Specifically, kernel maintainers and system administrators should monitor official Linux kernel releases and backport patches to long-term support (LTS) kernels where applicable. Additionally, organizations should audit their systems to identify devices using the cdc-wdm driver, particularly those managing cellular modems or wireless USB devices. Where possible, limit or control USB device connections to trusted hardware to reduce exposure. Implement kernel logging rate-limiting configurations and monitor kernel logs for unusual error message flooding that could indicate attempts to trigger this vulnerability. In environments where kernel updates are delayed, consider disabling or unloading the cdc-wdm driver if it is not required, or isolating affected systems to minimize impact. Finally, integrate this vulnerability into incident response and patch management workflows to ensure timely remediation.