CVE-2024-45008 is a vulnerability identified in the Linux kernel related to the handling of multi-touch (MT) input device slots. Specifically, the issue arises in the function input_mt_init_slots(), which initializes the number of slots for multi-touch input devices. The vulnerability stems from the fact that the number of slots (num_slots) is supplied from userspace via the ioctl system call UI_DEV_CREATE without a proper upper bound check. This can lead to an excessively large memory allocation request. The patch addressing this vulnerability introduces a maximum limit of 1024 slots to prevent unbounded allocation. The root cause is that the kernel previously did not know the maximum possible number of slots, allowing a malicious or erroneous userspace application to request an arbitrarily large number of slots, potentially causing resource exhaustion or denial of service (DoS). Although no known exploits are currently reported in the wild, the vulnerability represents a risk vector where an unprivileged user or process could trigger large memory allocations, leading to kernel instability or crashes. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and potentially other versions prior to the patch. This vulnerability is particularly relevant for systems that support multi-touch input devices, such as touchscreens or touchpads, commonly found in laptops, tablets, and embedded devices running Linux. The absence of a CVSS score indicates that the severity has not been formally assessed, but the technical details suggest a medium to high risk due to the potential for denial of service via resource exhaustion. The vulnerability requires local access to the system to invoke the ioctl call, and no user interaction beyond that is necessary. The patch limits the maximum number of slots to 1024, which is a reasonable upper bound to prevent abuse while maintaining functionality for legitimate devices.

For European organizations, the impact of CVE-2024-45008 primarily revolves around potential denial of service conditions on Linux-based systems that support multi-touch input devices. This includes enterprise laptops, workstations, kiosks, and embedded systems used in industrial control, healthcare, transportation, and public infrastructure. An attacker with local access could exploit this vulnerability to cause kernel crashes or system instability by triggering excessive memory allocations. This could lead to service interruptions, loss of productivity, and potential downtime in critical environments. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting denial of service could be leveraged as part of a broader attack chain, especially in environments where availability is critical. European organizations with large deployments of Linux systems, particularly those using touchscreen-enabled devices or custom embedded Linux solutions, may face increased risk. Additionally, sectors such as finance, manufacturing, and government, which rely heavily on Linux infrastructure, could experience operational disruptions if exploited. The lack of known exploits in the wild reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation attempts.

1. Apply the official Linux kernel patch that limits the maximum number of multi-touch slots to 1024 as soon as it becomes available and is compatible with your systems. 2. For organizations managing custom or embedded Linux kernels, ensure that the kernel source is updated and rebuilt with the patch integrated. 3. Restrict local access to systems running vulnerable Linux kernels to trusted users only, minimizing the risk of unprivileged exploitation. 4. Implement monitoring and alerting for unusual ioctl calls or abnormal memory allocation patterns related to input devices, which could indicate exploitation attempts. 5. Conduct regular audits of kernel versions in use across the organization to identify and prioritize vulnerable systems for patching. 6. For critical systems where immediate patching is not feasible, consider disabling or restricting multi-touch input device support if it is not essential to operations. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents caused by exploitation of this vulnerability.