CVE-2024-41012 is a vulnerability identified in the Linux kernel related to the handling of POSIX file locks, specifically within the filelock subsystem. The issue arises from a race condition between the fcntl_setlk() function, which sets locks, and the close() system call. Normally, when a lock is created by fcntl_setlk(), it is removed reliably by do_lock_file_wait() if a race with close() is detected. However, Linux Security Modules (LSMs) can interfere by allowing the initial do_lock_file_wait() call that creates the lock but denying the subsequent call that attempts to remove it. Additionally, the posix_lock_file() function may fail to remove locks due to GFP_KERNEL memory allocation failures during range splitting. This failure to remove locks leads to use-after-free (UAF) conditions when userspace processes read from /proc/locks via the lock_get_status() function. The UAF vulnerability allows attackers to read arbitrary kernel memory, potentially leaking sensitive information, although it does not permit kernel memory corruption or arbitrary code execution. The fix involves replacing the unreliable lock removal calls with locks_remove_posix(), a function designed to reliably remove POSIX locks associated with the file and files_struct, ensuring consistency and preventing the UAF condition. This vulnerability affects Linux kernels identified by the commit hash c293621bbf678a3d85e3ed721c3921c8a670610d and was published on July 23, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, which are widely used in servers, cloud infrastructure, and embedded devices across Europe. The ability to read arbitrary kernel memory can lead to leakage of sensitive information such as cryptographic keys, credentials, or other protected data residing in kernel space. Although the vulnerability does not allow direct kernel memory corruption or privilege escalation, the information disclosure could facilitate further attacks or reconnaissance by threat actors. Organizations relying on Linux-based infrastructure for critical services, including financial institutions, government agencies, and telecommunications providers, may face increased risk if attackers leverage this vulnerability to gain insights into kernel memory layout or sensitive data. The absence of known exploits in the wild reduces immediate risk, but the widespread deployment of Linux kernels and the potential for information leakage warrant prompt attention. Additionally, the complexity of the vulnerability involving LSMs suggests that certain security configurations might influence exploitability, making thorough assessment necessary.

European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-41012, specifically those incorporating the change to use locks_remove_posix() for reliable lock removal. System administrators should verify kernel versions and apply vendor-supplied security updates promptly. For environments where immediate patching is not feasible, organizations should audit and monitor access to /proc/locks and related kernel interfaces to detect unusual or unauthorized reads that might indicate exploitation attempts. Additionally, reviewing and hardening Linux Security Module (LSM) configurations may reduce the risk by limiting the conditions under which the race condition can be exploited. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and restricting access to kernel memory interfaces can further mitigate information disclosure risks. Finally, organizations should maintain robust intrusion detection and prevention systems capable of identifying anomalous behaviors related to kernel memory access.