CVE-2024-42255 is a vulnerability identified in the Linux kernel's TPM (Trusted Platform Module) subsystem, specifically within the function tpm_buf_check_hmac_response(). The vulnerability arises due to improper handling of a NULL pointer check before dereferencing the 'auth' pointer. The function attempts to use the 'auth' pointer without confirming it is non-NULL, which can lead to a NULL pointer dereference if the TPM2 HMAC feature (TCG_TPM2_HMAC) is enabled and the initialization function tpm2_sessions_init() has not been called. This results in a kernel crash or denial of service (DoS) condition. The issue is a classic example of insufficient validation leading to a NULL pointer dereference, which compromises kernel stability. The vulnerability was addressed by ensuring that the 'auth' pointer is only used after a proper NULL check, preventing the kernel from dereferencing a NULL pointer. This fix improves the robustness of the TPM subsystem in the Linux kernel. The vulnerability affects specific Linux kernel versions identified by commit hashes (7ca110f2679b7d1f3ac1afc90e6ffbf0af3edf0d). There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The TPM subsystem is critical for hardware-based security functions, including secure boot, disk encryption, and platform integrity verification. A kernel crash caused by this vulnerability could disrupt these security services and impact system availability.

For European organizations, the impact of CVE-2024-42255 primarily involves potential denial of service conditions on Linux systems utilizing TPM 2.0 with HMAC enabled. Many enterprises and government agencies in Europe rely on Linux servers and workstations with TPM for enhanced security features such as secure boot, measured boot, and hardware-based key storage. A kernel crash could interrupt critical services, leading to downtime and potential operational disruption. While this vulnerability does not directly lead to privilege escalation or data breach, the loss of availability in security-critical systems could indirectly affect confidentiality and integrity if security mechanisms fail or are bypassed during recovery. Organizations with high reliance on TPM for compliance (e.g., GDPR-related data protection) or critical infrastructure may face increased risk. Additionally, the vulnerability could be exploited in targeted denial of service attacks against Linux-based infrastructure, including cloud providers, telecom operators, and financial institutions prevalent in Europe. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to maintain system stability and trust in TPM-based security.

European organizations should apply the Linux kernel patch that addresses CVE-2024-42255 as soon as it becomes available from their Linux distribution vendors. Specifically, ensure that kernel versions are updated to include the fix that performs the NULL check before dereferencing the 'auth' pointer in the TPM subsystem. Organizations should audit their Linux systems to identify those running TPM 2.0 with TCG_TPM2_HMAC enabled and verify whether tpm2_sessions_init() is properly called during initialization. Systems that do not use TPM or have TPM disabled may have a lower risk but should still be assessed. Implement monitoring for kernel crashes or unusual TPM subsystem errors that could indicate attempted exploitation or instability. For critical systems, consider temporary workarounds such as disabling TPM HMAC features if patching is delayed, but only after evaluating the security trade-offs. Maintain up-to-date backups and ensure incident response plans include procedures for kernel-level failures. Engage with Linux distribution security advisories and subscribe to relevant security mailing lists to receive timely updates on patch availability and deployment guidance.