CVE-2024-40976 is a vulnerability identified in the Linux kernel specifically within the Direct Rendering Manager (DRM) subsystem for the Lima GPU driver. The issue arises from a race condition in the handling of rendering jobs and the DRM scheduler's job timeout mechanism. When a rendering job takes just long enough to trigger the DRM scheduler's timeout handler but still completes before the hard reset initiated by the timeout handler, an unexpected race condition occurs. This can lead to a reference count imbalance on the lima_pm_idle function, which manages power management idle states for the Lima GPU. The imbalance manifests as kernel warnings and stack dumps, indicating improper handling of interrupts (IRQs) during the timeout recovery process. The root cause is that the timeout handler does not mask IRQs at the start, allowing concurrent interrupt handling that conflicts with the reset process. The fix involves masking IRQs at the beginning of the timeout handler to prevent the race condition, effectively abandoning the rendering job and relying on the hard reset to recover the GPU state. IRQs are re-enabled after the reset, ensuring system stability. This vulnerability is specific to the Lima DRM driver, which supports ARM Mali GPUs, commonly found in embedded and mobile devices running Linux. The vulnerability does not appear to have known exploits in the wild and affects specific Linux kernel versions identified by commit hashes. No CVSS score has been assigned yet, and the vulnerability was published on July 12, 2024.

For European organizations, the impact of CVE-2024-40976 depends largely on the deployment of Linux systems using the Lima DRM driver, typically in embedded devices, IoT, or ARM-based platforms. If exploited or triggered, the race condition can cause kernel warnings, potential system instability, or GPU resets, which may lead to temporary denial of service on affected devices. This could disrupt critical embedded systems or industrial control devices relying on ARM Mali GPUs. While the vulnerability does not directly lead to privilege escalation or remote code execution, the instability and GPU resets could impact availability and reliability of services, particularly in sectors like manufacturing, telecommunications, or automotive industries where embedded Linux devices are prevalent. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the race condition under heavy GPU load. Confidentiality and integrity impacts are minimal as the issue is related to device driver race conditions and resource management rather than data leakage or corruption.

European organizations should prioritize updating Linux kernel versions to include the patch that masks IRQs at the start of the DRM scheduler timeout handler for the Lima driver. Since the vulnerability arises from a race condition in the kernel driver, applying the official Linux kernel updates or backported patches from trusted Linux distribution vendors is the most effective mitigation. For embedded or IoT devices where kernel updates may be slower, organizations should consider implementing monitoring for kernel warnings related to lima_devfreq_record_idle and lima_sched_pipe_task_done to detect potential triggering of the race condition. Additionally, workload management to avoid prolonged GPU rendering jobs that approach the timeout threshold can reduce the likelihood of triggering the vulnerability. Device manufacturers and integrators should validate firmware and kernel versions in their supply chain to ensure patched kernels are deployed. Finally, organizations should maintain robust incident response plans for embedded device failures and consider network segmentation to limit the impact of any device instability caused by this vulnerability.