CVE-2024-45027 is a vulnerability identified in the Linux kernel's USB xHCI (Extensible Host Controller Interface) driver. The issue arises in the error handling path of the xhci_mem_init() function, which is responsible for initializing memory structures related to USB 3.0 host controller operations. Specifically, if xhci_mem_init() fails early—after setting the maximum number of interrupters (xhci->max_interrupters) but before allocating the interrupters array (xhci->interrupters)—the cleanup function xhci_mem_cleanup() is called. However, xhci_mem_cleanup() unconditionally dereferences xhci->interrupters without checking if it is NULL, leading to a potential NULL pointer dereference. This can cause a kernel panic or system crash due to the invalid memory access. The vulnerability was discovered during debugging of a DMA allocation failure that triggered this exact code path. The fix involves adding a guard check in xhci_mem_cleanup() to ensure that the interrupt freeing loop only executes if xhci->interrupters is non-NULL, preventing the dereference of a NULL pointer. This vulnerability affects Linux kernel versions containing the specified commits prior to the patch and is relevant to systems using the xHCI USB controller driver, which is common in modern hardware for USB 3.x support. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to the stability and availability of Linux-based systems that utilize the xHCI USB driver. Many servers, workstations, and embedded devices in Europe run Linux kernels that include this driver, especially in enterprise, industrial, and governmental environments. An attacker or even a benign fault condition triggering this vulnerability could cause a denial of service (DoS) by crashing the kernel, leading to system downtime and potential disruption of critical services. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system crashes could interrupt business operations, affect data availability, and require system reboots or manual intervention. Organizations relying on Linux for USB device connectivity, including USB peripherals essential for operations, could be impacted. The lack of known exploits suggests a lower immediate threat level, but the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain at risk. The impact is more pronounced in environments where high availability is critical, such as financial institutions, healthcare providers, and infrastructure operators within Europe.

European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-45027 as soon as they become available from their Linux distribution vendors. Until patches are applied, organizations can mitigate risk by: 1) Minimizing the use of USB 3.x devices or disabling xHCI USB controllers in BIOS/UEFI settings if feasible, especially on critical systems where USB connectivity is not essential. 2) Monitoring system logs for kernel errors or crashes related to USB or xHCI drivers to detect potential triggering of this vulnerability. 3) Employing kernel crash dump analysis tools to identify if the NULL pointer dereference is occurring. 4) Testing patches in staging environments to ensure stability before deployment. 5) Ensuring robust backup and recovery procedures are in place to minimize downtime in case of crashes. 6) For embedded or specialized Linux systems, coordinate with hardware vendors for firmware or driver updates that incorporate the fix. These steps go beyond generic advice by focusing on USB controller management and proactive monitoring specific to this vulnerability's characteristics.