CVE-2024-42138 is a vulnerability identified in the Linux kernel's mlxsw (Mellanox Switch) driver, specifically within the core_linecards component. The issue arises from improper memory management during the initialization of linecard types from an INI configuration file. When an invalid INI file is processed, the function mlxsw_linecard_types_init() deallocates memory but fails to reset the pointer to NULL and returns success (0). If any subsequent error occurs after this call, the mlxsw_linecards_init() function invokes mlxsw_linecard_types_fini(), which attempts to free the same memory again, leading to a double free condition. This double free vulnerability can cause undefined behavior such as memory corruption, potential kernel crashes (denial of service), or could be leveraged by an attacker to escalate privileges or execute arbitrary code within the kernel context. The root cause is a missing pointer reset after memory deallocation, which is a classic programming error in C/C++ memory management. The fix involves resetting the pointer to NULL after freeing the memory to prevent the double free. This vulnerability was discovered by the Linux Verification Center using static analysis tools (SVACE). There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected mlxsw driver versions, which are commonly used in high-performance networking equipment such as Mellanox switches and network interface cards. The impact includes potential denial of service due to kernel crashes, which can disrupt critical network infrastructure and services. In worst-case scenarios, if exploited, it could allow attackers to execute arbitrary code with kernel privileges, leading to full system compromise. This is particularly concerning for data centers, telecom providers, cloud service operators, and enterprises relying on Linux-based networking hardware. The vulnerability could affect the availability and integrity of network operations, impacting business continuity and potentially exposing sensitive data if attackers gain elevated privileges. Given the complexity of exploitation and the requirement for specific conditions (invalid INI files and error states), the immediate risk may be moderate, but the potential impact on critical infrastructure is significant.

European organizations should promptly apply the patch or update provided by the Linux kernel maintainers that addresses CVE-2024-42138. Since the vulnerability stems from a double free in the mlxsw driver, upgrading to the fixed kernel version is the most effective mitigation. In environments where immediate patching is not feasible, organizations should audit and validate the integrity and correctness of INI configuration files used by mlxsw linecards to prevent invalid configurations that trigger the vulnerability. Additionally, implementing kernel-level security features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling memory protection mechanisms can reduce exploitation risk. Monitoring kernel logs for unusual crashes or memory errors related to mlxsw can help detect attempts to exploit this vulnerability. Network segmentation and limiting administrative access to affected devices can further reduce exposure. Finally, organizations should maintain an inventory of devices running affected Linux kernel versions to prioritize patching efforts.