CVE-2024-47660 is a vulnerability identified in the Linux kernel's fsnotify subsystem, which is responsible for monitoring filesystem events. The issue arises in the handling of directory dentries (directory entries) when a directory contains a large number of dentries, often negative dentries (entries that do not correspond to actual files). Specifically, the function __fsnotify_update_child_dentry_flags() is called to update flags related to parent-child watch relationships under the inode->i_lock mutex. Because this function can take a significant amount of time in directories with many dentries, it causes contention on the inode lock. This contention occurs when removing a watch from a directory, as concurrent calls to __fsnotify_update_child_dentry_flags() from fsnotify_recalc_mask() race with calls from __fsnotify_parent() on child dentries. The result is a potential soft lockup, where the kernel becomes unresponsive or experiences severe delays due to prolonged lock contention. The fix implemented involves changing the timing of when PARENT_WATCHED flags are set and cleared: flags are now set only when the parent starts watching children, and false positive flags are cleared lazily when the parent stops watching children. This reduces lock contention and prevents the soft lockup condition. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely related versions prior to the patch date of October 9, 2024.

For European organizations relying on Linux-based systems, especially those with workloads involving heavy filesystem monitoring or directory watches (e.g., file servers, monitoring tools, container hosts, or development environments), this vulnerability can lead to system instability or degraded performance due to kernel soft lockups. Such soft lockups can cause service interruptions, impacting availability of critical applications and services. In environments with high directory activity or complex filesystem structures, the risk of encountering this issue increases. While this vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant, potentially causing downtime or requiring system reboots. This can affect sectors such as finance, healthcare, telecommunications, and public administration, where Linux servers are widely deployed. Additionally, the kernel lock contention could complicate incident response or forensic activities if systems become unresponsive during critical operations.

European organizations should promptly apply the Linux kernel patch that addresses CVE-2024-47660 once it becomes available in their distribution's stable updates. Until patched, administrators should monitor systems for signs of kernel soft lockups, such as kernel warnings or system hangs related to inode lock contention. Reducing the number of directory watches or restructuring directory hierarchies to avoid large numbers of dentries may mitigate the risk temporarily. Organizations using filesystem monitoring tools should review their configurations to minimize excessive watches on directories with many entries. Employing kernel tracing and monitoring tools (e.g., perf, ftrace) can help identify contention hotspots. For critical systems, consider scheduling maintenance windows to apply updates and reboot if necessary. Coordination with Linux distribution vendors for timely patch releases and testing in staging environments is recommended to ensure stability post-update.