CVE-2024-46737 is a vulnerability identified in the Linux kernel's nvmet-tcp subsystem, which handles NVMe over TCP transport. The flaw arises when the kernel attempts to allocate command structures in the function nvmet_tcp_alloc_cmds(). If this allocation fails, the kernel does not properly handle the error, leading to a NULL pointer dereference in the subsequent function nvmet_tcp_release_queue_work(). Specifically, the queue->nr_cmds field is not reset to zero upon allocation failure, causing the kernel to attempt to access invalid memory addresses. This results in a kernel crash (panic), which can cause a denial of service (DoS) condition on affected systems. The error messages observed include "nvmet: failed to install queue 0 cntlid 1 ret 6" and "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008." The patch fixes this issue by ensuring queue->nr_cmds is set to zero if nvmet_tcp_alloc_cmds() fails, preventing the NULL pointer dereference. This vulnerability affects specific Linux kernel versions identified by the commit hash 872d26a391da92ed8f0c0f5cb5fef428067b7f30. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems utilizing the NVMe over TCP (nvmet-tcp) subsystem. Organizations running storage servers, data centers, or cloud infrastructure that rely on Linux kernels with the affected versions and that use NVMe over TCP for storage networking could experience kernel crashes leading to service interruptions. This could impact availability of critical services, especially in environments with high storage I/O demands or where NVMe over TCP is used for remote storage access. While the vulnerability does not directly lead to privilege escalation or data compromise, the resulting kernel panic can disrupt operations, cause downtime, and potentially lead to data loss if systems are not properly protected or if crashes occur during critical operations. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid potential exploitation or accidental crashes.

European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-46737. Specifically, they should apply the patch that sets queue->nr_cmds to zero upon allocation failure in the nvmet-tcp code path. System administrators should audit their infrastructure to identify systems running affected kernel versions and verify if NVMe over TCP is in use. If NVMe over TCP is not required, consider disabling the nvmet-tcp module to reduce attack surface. Additionally, implement robust monitoring and alerting for kernel panics and crashes to detect potential exploitation or instability early. For critical systems, ensure regular backups and failover mechanisms are in place to mitigate downtime caused by unexpected kernel crashes. Network segmentation and limiting access to storage networking interfaces can also reduce exposure. Finally, maintain awareness of updates from Linux kernel maintainers and security advisories to promptly apply future patches.