CVE-2024-40995 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the act_api component responsible for managing traffic control actions. The flaw arises in the function tcf_idr_check_alloc(), which is involved in allocating identifiers for traffic control actions. When multiple requests attempt to add actions with the same index concurrently, the second request blocks indefinitely waiting on the first, causing a deadlock. This deadlock occurs because the second request holds the rtnl_lock (the kernel's routing netlink lock) while waiting, which prevents other tasks from proceeding and leads to tasks hanging indefinitely. The issue was discovered by syzbot, an automated kernel fuzzer, which observed tasks blocked on rtnl_lock for extended periods (e.g., over 143 seconds). The root cause is an infinite loop or blocking condition when handling duplicate action indices without proper error handling. The fix involves returning the error code -EAGAIN to signal the caller to retry, thereby preventing infinite looping while maintaining the documented behavior of the API. This vulnerability can cause kernel-level hangs or denial of service (DoS) conditions due to blocked kernel worker threads, impacting system stability and availability. The vulnerability affects Linux kernel versions prior to the patch and is relevant to any system using the affected kernel versions with traffic control features enabled. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the primary impact of CVE-2024-40995 is a potential denial of service condition at the kernel level, which can cause system instability or unresponsiveness. This is particularly critical for infrastructure relying on Linux servers for networking, routing, or traffic shaping, such as ISPs, cloud providers, telecom operators, and enterprises with complex network management needs. Systems that heavily utilize Linux traffic control features or custom network configurations are at higher risk. The hang caused by the vulnerability can disrupt critical services, leading to downtime and potential operational losses. Additionally, if exploited in multi-tenant environments or cloud infrastructures, it could affect multiple customers or services simultaneously. While this vulnerability does not directly lead to privilege escalation or data leakage, the availability impact can indirectly affect confidentiality and integrity by disrupting security monitoring, patching, or incident response activities. European organizations with stringent uptime requirements or those operating critical infrastructure should prioritize addressing this issue to maintain service continuity.

To mitigate CVE-2024-40995, organizations should promptly apply the official Linux kernel patches that address the infinite loop and blocking condition in tcf_idr_check_alloc(). Since the fix involves returning -EAGAIN to avoid deadlocks, updating to a patched kernel version is the most effective measure. For environments where immediate patching is not feasible, consider temporarily disabling or limiting the use of traffic control actions that add multiple actions with the same index to reduce the risk of triggering the vulnerability. Monitoring kernel logs for hung tasks or blocked rtnl_lock messages can help detect attempts to exploit or encounter this issue. Implementing kernel live patching solutions, where supported, can reduce downtime associated with patch deployment. Additionally, network administrators should review and audit traffic control configurations to ensure they do not inadvertently create conditions that could trigger the vulnerability. Finally, maintain robust incident response and system monitoring capabilities to quickly identify and remediate any system hangs or performance degradation potentially linked to this vulnerability.