CVE-2024-41032 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the vmalloc area handling code. The issue arises from incorrect assumptions about the CPU topology on certain architectures, such as SPARC, where the cpu_possible_mask—a bitmap representing CPUs that may be present on the system—contains gaps between set CPUs. The vulnerability stems from the addr_to_vb_xa() hash function, which calculates an index used to access per-CPU data structures. Due to the gaps in cpu_possible_mask, this hash function can generate an index that points to a CPU that is not possible or not initialized, leading to an out-of-bounds access when the per_cpu() macro is used. This results in a kernel oops (crash) on affected systems. Additionally, the per-cpu vmap_block_queue, used as a hash table, incorrectly assumes a contiguous cpu_possible_mask without gaps, exacerbating the problem. The fix involves adjusting the index calculation to map to the next possible CPU, ensuring safe access to per-CPU data. This vulnerability is architecture-specific and primarily affects systems with non-contiguous cpu_possible_mask configurations, such as SPARC platforms running Linux kernels with the affected commits. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.

The primary impact of CVE-2024-41032 is a denial of service (DoS) condition caused by kernel oopses on affected Linux systems. This can lead to system instability, crashes, and potential downtime, which is critical for servers and infrastructure relying on continuous availability. For European organizations, especially those operating SPARC-based Linux systems or other architectures with similar CPU topology characteristics, this vulnerability could disrupt critical services. Although the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel crashes can interrupt business operations, affect data availability, and increase recovery costs. Given that SPARC architectures are less common in Europe compared to x86_64, the impact is somewhat limited but still significant for niche sectors such as telecommunications, research institutions, or legacy systems in financial services that might use such hardware. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or intentional triggering of the kernel oops.

To mitigate CVE-2024-41032, European organizations should: 1) Identify and inventory Linux systems running on architectures with non-contiguous cpu_possible_mask, particularly SPARC-based servers. 2) Apply the official Linux kernel patches that address the index calculation in addr_to_vb_xa() and the per-cpu vmap_block_queue handling as soon as they become available from trusted Linux distributions or kernel maintainers. 3) For systems where immediate patching is not feasible, implement monitoring for kernel oops and crashes related to vmalloc or per-CPU data access to detect exploitation attempts or accidental triggers early. 4) Engage with hardware and OS vendors to confirm support and patch availability for affected platforms. 5) Consider architectural reviews to phase out or isolate legacy SPARC systems where possible, reducing exposure. 6) Maintain robust backup and recovery procedures to minimize downtime in case of system crashes. These steps go beyond generic advice by focusing on architecture-specific identification, proactive patch management, and operational readiness tailored to the unique characteristics of this vulnerability.