CVE-2024-49962 is a vulnerability identified in the Linux kernel's ACPICA (ACPI Component Architecture) implementation. The issue arises from improper handling of the return value of the function ACPI_ALLOCATE_ZEROED() within the acpi_db_convert_to_package() routine. Specifically, ACPI_ALLOCATE_ZEROED() may fail and return a NULL pointer, but this failure is not checked before subsequent dereferencing of the pointer. This leads to a NULL pointer dereference vulnerability, which can cause the kernel to crash or become unstable. The vulnerability is rooted in the ACPI subsystem, which is responsible for hardware configuration and power management. Since ACPI is integral to system operation, a NULL pointer dereference here can result in a denial of service (DoS) condition by crashing the kernel or triggering a kernel panic. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly, but the resulting DoS can disrupt system availability. The flaw was addressed in ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 by adding proper checks for the return value of ACPI_ALLOCATE_ZEROED(). There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The affected versions are various Linux kernel builds prior to the patch. This vulnerability requires no user interaction but does require that the vulnerable ACPI code path be exercised, which typically occurs during system operation or debugging of ACPI packages.

For European organizations, the primary impact of CVE-2024-49962 is the potential for denial of service on Linux-based systems due to kernel crashes triggered by NULL pointer dereference in the ACPI subsystem. This can affect servers, workstations, and embedded devices running vulnerable Linux kernels, leading to system downtime and disruption of critical services. Organizations relying heavily on Linux for infrastructure, cloud services, or embedded systems may experience operational interruptions. While the vulnerability does not directly expose data confidentiality or integrity, the availability impact can be significant, especially in environments requiring high uptime such as financial institutions, healthcare providers, and critical infrastructure operators. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential future exploitation or accidental triggering during normal operations or debugging activities.

European organizations should prioritize updating their Linux kernels to versions that include the ACPICA patch fixing this vulnerability. Specifically, ensure that the kernel version incorporates the commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 or later. For environments where immediate patching is not feasible, consider the following mitigations: 1) Limit access to systems running vulnerable kernels to trusted administrators only, reducing the risk of accidental or malicious triggering of the vulnerable code path. 2) Monitor system logs for ACPI-related errors or kernel panics that could indicate attempts to exploit or accidental triggering of the flaw. 3) Disable or restrict ACPI debugging features if enabled, as the vulnerability occurs in an ACPI debug function. 4) Employ kernel crash recovery mechanisms and high availability configurations to minimize downtime in case of crashes. 5) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 6) Conduct thorough testing of kernel updates in staging environments before deployment to production to avoid regressions. These steps will help reduce the risk and impact of this vulnerability while ensuring system stability.