CVE-2024-46843 is a vulnerability identified in the Linux kernel specifically affecting the SCSI (Small Computer System Interface) subsystem for UFS (Universal Flash Storage) devices. The issue arises during the process of probing the UFS host bus adapter (HBA) when the Multi-Queue Command (MCQ) feature is enabled. The vulnerability is triggered if the kernel attempts to remove the ufshcd driver from a UFS device and the asynchronous scan (ufshcd_async_scan) fails during the probe phase (ufshcd_probe_hba). Under these conditions, the kernel may attempt to remove a SCSI host that was never successfully added due to the deferred addition of the SCSI host introduced by a prior commit (0cab4023ec7b). This improper removal leads to a kernel panic, causing a denial of service (DoS) by crashing the system. The root cause is that the kernel did not track whether the SCSI host was actually added before attempting removal. The fix involves setting a flag (scsi_host_added) to true only after the SCSI host is successfully added and checking this flag before removal to prevent invalid operations. This vulnerability affects Linux kernel versions containing the specified commit and impacts systems using UFS storage with MCQ enabled. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions that utilize UFS storage devices, particularly in environments where MCQ is enabled. The impact is a potential denial of service through kernel panic, which can cause system crashes and downtime. This can disrupt critical services, especially in sectors relying on embedded Linux systems or servers using UFS storage, such as telecommunications, automotive, industrial control, and cloud infrastructure providers. The vulnerability does not appear to allow privilege escalation or remote code execution but can degrade availability, impacting business continuity and operational reliability. Organizations with large-scale Linux deployments or those using UFS devices in critical infrastructure should be particularly vigilant. Given the lack of known exploits, the immediate risk is moderate, but unpatched systems remain vulnerable to accidental or targeted triggering of the kernel panic.

To mitigate this vulnerability, European organizations should: 1) Identify and inventory Linux systems using UFS storage devices with MCQ enabled. 2) Apply the latest Linux kernel patches that address CVE-2024-46843 as soon as they are available from trusted Linux distributions or kernel maintainers. 3) For systems where immediate patching is not feasible, consider disabling MCQ support for UFS devices as a temporary workaround, if operationally acceptable. 4) Implement robust monitoring and alerting for kernel panics or unexpected reboots to detect potential exploitation attempts or accidental triggers. 5) Test patches in staging environments to ensure compatibility and stability before deployment in production. 6) Maintain regular backups and disaster recovery plans to minimize downtime impact. 7) Engage with Linux vendor support channels for guidance on patch availability and deployment best practices.