CVE-2024-49994 is a vulnerability identified in the Linux kernel's block device subsystem, specifically related to the BLKSECDISCARD ioctl interface used for secure erase operations on block devices. The flaw arises from an integer overflow in the function blk_ioctl_discard(), which leads to improper handling of large sector counts during secure erase requests. The vulnerability manifests when a specially crafted ioctl call is made with parameters that cause a 64-bit unsigned integer overflow, resulting in the kernel entering a near-infinite loop inside the blkdev_issue_secure_erase() function. This loop attempts to access sectors beyond the physical end of the device, causing excessive CPU consumption and potential denial of service (DoS) conditions. The issue was independently rediscovered and corresponds to a previously addressed overflow in blk_ioctl_discard(), but this variant affects the secure erase path. The vulnerability affects Linux kernel versions identified by the commit hash 44abff2c0b970ae3d310b97617525dc01f248d7c and likely other versions containing the same code. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The root cause is an integer overflow that leads to out-of-bounds memory access attempts and resource exhaustion, which could disrupt system stability and availability.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing secure erase features on block devices. The impact is mainly a denial of service through resource exhaustion, which could disrupt critical services, particularly in data centers, cloud providers, and enterprises relying on Linux-based infrastructure. Systems performing secure erase operations or exposed to untrusted users capable of issuing ioctl calls could be targeted to trigger the infinite loop, potentially causing system hangs or crashes. This could affect availability of services, delay maintenance operations, and increase operational costs. While the vulnerability does not appear to allow privilege escalation or direct data compromise, the denial of service impact on critical infrastructure could indirectly affect confidentiality and integrity by disrupting security monitoring or backup processes. European organizations with high reliance on Linux servers, embedded devices, or storage appliances are at risk, especially if patching is delayed. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits targeting this flaw.

Organizations should promptly identify Linux systems running kernel versions containing the vulnerable commit and apply the official patches or kernel updates provided by Linux maintainers as soon as they become available. Until patches are applied, restricting access to ioctl interfaces related to block devices, especially BLKSECDISCARD, can reduce exposure. This can be achieved by enforcing strict access controls, limiting ioctl usage to trusted administrators, and employing mandatory access control frameworks such as SELinux or AppArmor to confine processes that might invoke these ioctls. Monitoring kernel logs for unusual blkdev_issue_secure_erase() activity or repeated bio_check_eod warnings can help detect exploitation attempts. Additionally, organizations should review and harden their secure erase procedures to ensure they are not exposed to untrusted users or automated processes that could be manipulated. Regular vulnerability scanning and kernel version audits will help maintain awareness of exposure. Finally, incorporating this vulnerability into incident response plans ensures readiness to respond to potential denial of service incidents stemming from this flaw.