CVE-2024-49935 is a vulnerability identified in the Linux kernel's ACPI PAD driver, specifically related to the function exit_round_robin(). The issue arises due to improper handling of CPU masks when clearing CPU bits. The kernel occasionally crashes in the function cpumask_clear_cpu(), which is called within exit_round_robin(). The root cause is that the function clear_bit() is called with an invalid bit number (0xffffffff), leading to misaligned memory access and a kernel paging fault. This occurs because the code does not verify that the CPU index (tsk_in_cpu[tsk_index]) is valid (i.e., not -1) before attempting to clear the CPU bit. The crash manifests as a kernel panic with an invalid memory access at a specific address, as detailed in the crash logs. The vulnerability is fixed by adding a check to ensure that the CPU index is valid before calling cpumask_clear_cpu(), mirroring the existing check in the related round_robin_cpu() function. This bug affects Linux kernel versions including 4.18.0-425.19.2.el8_7.x86_64 and potentially other versions with similar ACPI PAD implementations. The vulnerability can cause system instability and crashes, impacting availability. There is no indication that this vulnerability can be exploited to execute arbitrary code or escalate privileges directly, but the kernel crash can lead to denial of service. No known exploits are reported in the wild as of the publication date. The vulnerability is technical and requires kernel-level access or conditions to trigger the crash, likely involving specific ACPI PAD driver activity and CPU scheduling operations.

For European organizations, this vulnerability primarily poses a risk to system availability. Linux is widely used across European enterprises, public sector institutions, and cloud service providers. Systems running affected kernel versions, especially those using ACPI PAD drivers (common in power management and CPU scheduling), may experience unexpected kernel crashes leading to downtime or service interruptions. This can affect critical infrastructure, data centers, and enterprise servers. While the vulnerability does not appear to allow privilege escalation or data breaches directly, denial of service in production environments can disrupt business operations, cause financial loss, and impact service level agreements. Organizations relying on Linux-based systems for critical workloads, including telecommunications, finance, healthcare, and government services, are at risk if patches are not applied promptly. The vulnerability also affects embedded Linux systems and devices using affected kernels, which may be part of industrial control systems or IoT deployments in Europe, further broadening the impact scope.

Organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the kernel includes the fix that adds validation of the CPU index before calling cpumask_clear_cpu() in exit_round_robin(). For environments where immediate kernel upgrades are challenging, consider the following mitigations: 1) Disable or limit ACPI PAD driver usage if feasible, especially on systems where power management features are not critical. 2) Monitor kernel logs for signs of crashes related to cpumask_clear_cpu() or exit_round_robin() to detect potential exploitation or triggering conditions. 3) Implement robust system monitoring and automated reboot mechanisms to minimize downtime caused by kernel panics. 4) Use kernel live patching solutions where available to apply fixes without full system reboots. 5) Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before deployment. 6) Harden access controls to limit kernel-level access to trusted administrators only, reducing the risk of intentional triggering of the vulnerability.