CVE-2024-50142 is a vulnerability identified in the Linux kernel's IPsec subsystem, specifically within the xfrm (transform) framework responsible for handling Security Associations (SAs). The issue arises from improper validation of the prefix length fields (prefixlen_s and prefixlen_d) in the SA selectors when the selector family (sel.family) is initially unset (AF_UNSPEC). The vulnerability occurs because the validation function verify_newsa_info does not impose limits on prefix lengths when sel.family is AF_UNSPEC. However, later in the process, the selector family is set to a specific address family (e.g., AF_INET for IPv4) by copy_from_user_state, which expects prefix lengths to conform to the constraints of that family. This discrepancy can lead to inconsistent or malformed SA configurations. The patch addresses this by ensuring that verify_newsa_info converts the selector family from AF_UNSPEC to the actual family before validating the prefix lengths, aligning validation with subsequent usage. This vulnerability could potentially allow an attacker with the ability to create or modify SAs to introduce malformed or malicious IPsec configurations, possibly leading to denial of service or bypass of security policies enforced by IPsec. However, exploitation requires privileged access to create or modify SAs, limiting the attack surface to local or privileged users. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability primarily affects systems running vulnerable Linux kernel versions with IPsec enabled and configured. IPsec is widely used in enterprise environments for secure VPNs and encrypted communications. An attacker exploiting this flaw could manipulate IPsec SAs to disrupt secure communications, potentially causing denial of service or weakening network security policies. This could impact confidentiality and availability of sensitive data transmitted over IPsec tunnels. Organizations relying on Linux-based VPN gateways, firewalls, or routers are particularly at risk. Given the requirement for privileged access to exploit, the threat is higher in environments where insider threats or compromised administrative accounts exist. The impact is more pronounced in sectors with stringent security requirements such as finance, government, and critical infrastructure, which are prevalent in Europe. Disruption of secure communications could lead to operational downtime, regulatory non-compliance, and reputational damage.

European organizations should promptly apply the official Linux kernel patches that address CVE-2024-50142 once available. Until patches are deployed, administrators should audit and restrict access to IPsec configuration interfaces to trusted users only, minimizing the risk of unauthorized SA creation or modification. Monitoring and logging of IPsec SA changes should be enhanced to detect anomalous or malformed SA configurations. Network segmentation can limit the impact of compromised hosts. Additionally, organizations should verify that their Linux distributions have incorporated the fix, as many enterprise Linux vendors backport patches. For critical systems, consider temporarily disabling IPsec or restricting its use to essential connections until patched. Regular vulnerability scanning and kernel version management are recommended to ensure timely detection and remediation of such kernel-level vulnerabilities.