CVE-2024-40977 is a vulnerability identified in the Linux kernel specifically affecting the mt76 wireless driver for the mt7921s chipset. The issue arises during the chip recovery process, such as a chip reset, where a deadlock condition can occur between kernel worker threads. Specifically, the reset_work kernel worker holds a lock and waits for the stat_worker kernel thread to be parked, while stat_worker simultaneously waits for the release of the same lock. This circular wait creates a deadlock, causing the kernel to detect hung tasks and potentially triggering a system reboot. The vulnerability stems from improper synchronization and locking mechanisms during chip recovery operations in the wireless driver. The patch implemented prevents the execution of stat_worker during chip recovery, thereby breaking the deadlock cycle and stabilizing the system. This vulnerability affects Linux kernel versions containing the mt76 driver with the mt7921s chipset support, which is commonly used in various wireless devices. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability can lead to system instability and unexpected reboots on devices running affected Linux kernels with the mt7921s wireless chipset. This can disrupt network connectivity, especially in environments relying on wireless communications such as offices, industrial IoT deployments, and critical infrastructure. The deadlock and subsequent reboot can cause denial of service conditions, impacting availability of systems and services. Organizations with large-scale Linux deployments, including servers, embedded systems, or network appliances using this chipset, may experience operational interruptions. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can affect business continuity and operational reliability. In sectors such as telecommunications, manufacturing, and public services where Linux-based wireless devices are prevalent, the disruption could have cascading effects. Additionally, the need for patching and system reboots to remediate the issue may require planned maintenance windows, impacting service uptime.

To mitigate this vulnerability, European organizations should promptly apply the Linux kernel patches that address CVE-2024-40977 once available from their Linux distribution vendors or kernel maintainers. It is critical to verify that the kernel version in use includes the fix preventing stat_worker execution during chip recovery. Organizations should audit their infrastructure to identify devices using the mt7921s chipset and mt76 driver. For embedded or IoT devices where kernel updates may be delayed, consider isolating affected devices from critical network segments to reduce impact. Monitoring system logs for hung task messages and unexpected reboots can help detect exploitation attempts or manifestation of the issue. Implementing robust change management and testing procedures before deploying kernel updates will minimize operational disruptions. Additionally, vendors and system integrators should be engaged to ensure timely firmware and driver updates for affected hardware. Network segmentation and redundancy can further reduce the impact of potential availability issues caused by this vulnerability.