CVE-2024-50238 is a vulnerability identified in the Linux kernel specifically affecting the Qualcomm QMP USB PHY drivers (qcom-qmp-usb and qmp-usbc). The root cause is a NULL-pointer dereference triggered during the runtime suspend phase of power management. This issue arose because a recent code commit (commit 413db06c05e7) removed the initialization of platform device driver data during the probe phase, mistakenly assuming it was no longer needed. However, this data is still accessed in runtime power management callbacks, leading to a NULL-pointer dereference when runtime suspend is invoked. The qmp-usbc driver, which was created by copying the qcom-qmp-usb driver, inherited this bug. Notably, runtime power management (PM) is not enabled by default for these drivers and must be manually activated via sysfs, which likely explains the absence of widespread exploitation or reports of crashes. The vulnerability could cause kernel crashes or system instability if runtime PM is enabled, potentially leading to denial of service (DoS) conditions. Since this is a kernel-level bug, it affects the core operating system and any dependent applications. The vulnerability has been fixed by restoring the proper initialization of the driver data during the probe phase, preventing the NULL-pointer dereference during runtime suspend. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-50238 primarily revolves around system stability and availability. Systems running affected Linux kernel versions with Qualcomm QMP USB PHY drivers that have runtime PM enabled could experience kernel panics or crashes, resulting in denial of service. This could disrupt critical infrastructure, enterprise servers, embedded systems, or IoT devices relying on these drivers. While exploitation requires runtime PM to be manually enabled, organizations that customize power management settings or use advanced power-saving configurations on Qualcomm-based hardware are at risk. The vulnerability does not directly compromise confidentiality or integrity but could indirectly affect availability of services, especially in environments where uptime is critical such as telecommunications, industrial control systems, or cloud infrastructure. Since the vulnerability is in the kernel, recovery may require system reboots and patch deployment, which could impact operational continuity. The lack of known exploits and the requirement for manual runtime PM activation reduce immediate risk, but organizations should remain vigilant and apply patches promptly to avoid potential future exploitation or accidental activation of runtime PM leading to crashes.

1. Apply the official Linux kernel patch that restores driver data initialization during the probe phase to eliminate the NULL-pointer dereference. Monitor Linux kernel updates and backport patches if using long-term support kernels. 2. Audit systems to identify if runtime power management is enabled on Qualcomm QMP USB PHY drivers. Disable runtime PM on these drivers if not required, especially in production environments, to prevent triggering the vulnerability. 3. For systems requiring runtime PM, conduct thorough testing in controlled environments after patching to ensure stability. 4. Implement monitoring for kernel crashes or unexpected reboots that could indicate attempts to trigger this vulnerability. 5. Maintain strict configuration management to avoid unintended enabling of runtime PM via sysfs or other interfaces. 6. Engage with hardware vendors and Linux distribution maintainers to confirm that patched kernel versions are available and deployed in a timely manner. 7. For embedded or IoT devices using Qualcomm hardware, coordinate with device manufacturers for firmware and kernel updates addressing this issue.