CVE-2024-47666 is a vulnerability identified in the Linux kernel's SCSI subsystem, specifically within the pm80xx driver responsible for managing certain SAS (Serial Attached SCSI) controllers. The vulnerability arises in the pm8001_phy_control() function, which handles PHY (physical layer) control operations such as PHY_LINK_RESET and PHY_HARD_RESET. The function sets a pointer named enable_completion to a stack address and waits for 300 milliseconds for a PHY control response. However, if the PHY control response arrives late—after the 300 ms wait period—the function has already returned, and the enable_completion pointer now references invalid stack memory (a dangling pointer). When the late response triggers a complete() call on this dangling pointer, it results in a kernel crash due to use-after-return of stack memory. This is a classic race condition and use-after-free type vulnerability that can cause denial of service by crashing the kernel. The issue is rooted in improper synchronization and lifetime management of the enable_completion pointer during asynchronous PHY control operations. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was published on October 9, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The fix involves setting the enable_completion pointer only when the code is actively waiting for the completion, preventing the use of stale stack addresses after the function returns.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernels with the affected pm80xx SCSI driver enabled. The impact is mainly denial of service through kernel crashes, which can lead to system instability, unexpected reboots, and potential data loss if critical storage operations are interrupted. Organizations relying on Linux servers for storage-intensive applications, such as data centers, cloud providers, and enterprises with SAS storage arrays, could experience service disruptions. While this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel crashes could be exploited by attackers with local access to cause denial of service or to disrupt critical infrastructure. This could affect availability of services and potentially impact business continuity. Given the kernel-level nature of the bug, recovery may require system reboots and patching, which could incur operational downtime. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation.

European organizations should take the following specific mitigation steps: 1) Identify Linux systems running kernels that include the vulnerable pm80xx driver version (commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2). 2) Apply the official Linux kernel patches that fix this issue as soon as they become available, ensuring that the enable_completion pointer is only set when actively waiting for completion. 3) For systems where immediate patching is not feasible, consider disabling or unloading the pm80xx driver if the hardware and workload allow, to prevent triggering the vulnerable code path. 4) Monitor system logs for kernel crashes or OOPS messages related to pm80xx or PHY control operations, which may indicate attempted exploitation or triggering of the bug. 5) Implement strict access controls and limit local user privileges to reduce the risk of local attackers causing denial of service. 6) Maintain regular backups and ensure disaster recovery plans are tested to mitigate impact from unexpected system crashes. 7) Coordinate with hardware vendors to confirm compatibility and support for patched kernel versions to avoid operational issues post-update.