CVE-2024-42129 is a vulnerability identified in the Linux kernel, specifically within the mlxreg LED driver subsystem. The issue arises from improper mutex handling during the module removal process. In this driver, LEDs are registered using the devm_led_classdev_register() function, which ensures automatic unregistration of LEDs when the module's remove() function completes. However, the unregistration process calls led_classdev_unregister(), which in turn invokes the module's led_set_brightness() callback to turn off the LEDs. This callback uses a mutex for synchronization, but the mutex has already been destroyed during the module's remove() phase. This leads to a use-after-free or use-after-destruction scenario for the mutex, potentially causing undefined behavior such as kernel crashes or race conditions. The root cause is the failure to use the devm (device-managed) API for mutex initialization, which would have ensured proper lifecycle management of the mutex alongside the device. The fix involves replacing the manual mutex initialization with devm_mutex_init(), aligning the mutex lifecycle with the device's managed resources and preventing access to a destroyed mutex. Although no known exploits are reported in the wild, this vulnerability could lead to kernel instability or denial of service if triggered. The vulnerability affects specific Linux kernel versions identified by commit hashes, indicating it is present in certain recent or development versions of the kernel prior to the patch. No CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of system instability or denial of service on Linux systems using the affected mlxreg LED driver. While the vulnerability does not directly expose confidentiality or integrity risks, kernel crashes or race conditions can disrupt critical services, especially in environments relying on Linux for servers, embedded systems, or IoT devices. Organizations with infrastructure running customized or development Linux kernels that include the mlxreg driver are at higher risk. The impact could be more pronounced in sectors such as telecommunications, manufacturing, or critical infrastructure where embedded Linux devices are common. Although exploitation requires triggering the module removal process under conditions where the mutex is accessed post-destruction, which may limit remote exploitation, local attackers or malicious processes with module unloading privileges could potentially cause denial of service. This could lead to operational downtime, impacting business continuity and service availability.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the mlxreg driver uses devm_mutex_init() for mutex management. For systems running custom or development kernels, recompiling the kernel with the patch applied is essential. Additionally, organizations should audit their use of kernel modules and restrict module unloading privileges to trusted administrators only, minimizing the risk of malicious triggering. Monitoring kernel logs for unusual LED driver or mutex-related errors can help detect attempts to exploit this issue. In environments where immediate patching is not feasible, disabling or blacklisting the mlxreg LED driver module may be considered to prevent exposure, though this may impact device functionality. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation as updates become available.