CVE-2024-50239 is a vulnerability identified in the Linux kernel specifically affecting the Qualcomm QMP USB legacy driver (qmp-usb-legacy). The root cause stems from a NULL pointer dereference triggered during the runtime suspend operation of the driver. The issue originated when a commit (413db06c05e7) intended to clean up the probe initialization in the qcom-qmp-usb driver inadvertently removed the initialization of platform device driver data. Although most usages of this data were removed, the runtime power management (PM) callbacks still relied on it. This omission led to a NULL pointer dereference when runtime suspend was invoked. The problem was later replicated in the qmp-usb-legacy driver, which was derived from the original qcom-qmp-usb driver. The fix involved restoring the driver data initialization during the probe phase to prevent the NULL dereference. Notably, runtime PM with these drivers is not enabled by default and requires manual activation via sysfs, which limits the exposure of this vulnerability under typical configurations. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The vulnerability affects specific Linux kernel versions identified by the commit hash e464a3180a43b6596bd267f9f274e1793bfb8150, indicating a narrow window of affected builds.

For European organizations, the impact of CVE-2024-50239 is currently limited due to the requirement that runtime power management must be manually enabled for the affected Qualcomm USB legacy driver. Organizations using Linux systems with Qualcomm QMP USB legacy drivers that have runtime PM enabled could experience system instability or crashes caused by the NULL pointer dereference during runtime suspend operations. This could lead to denial of service (DoS) conditions on affected devices, potentially disrupting critical systems that rely on these drivers, such as embedded systems, IoT devices, or specialized hardware running Linux kernels with Qualcomm USB components. However, since runtime PM is not enabled by default and the affected driver is relatively specialized, widespread impact across general enterprise Linux deployments is unlikely. The vulnerability does not appear to allow privilege escalation or remote code execution, limiting the scope to availability concerns. Nevertheless, organizations with embedded Linux devices or telecom infrastructure using Qualcomm hardware should assess their exposure carefully.

To mitigate this vulnerability, European organizations should: 1) Identify Linux systems running Qualcomm QMP USB legacy drivers, particularly those with runtime power management enabled. 2) Apply the official Linux kernel patch that restores the driver data initialization during the probe phase as soon as it becomes available in their kernel distribution or vendor updates. 3) If runtime PM is not required, ensure it remains disabled to reduce exposure. 4) For embedded or specialized devices, coordinate with hardware vendors or system integrators to obtain patched firmware or kernel versions. 5) Monitor sysfs settings related to runtime PM to detect unauthorized enabling of this feature. 6) Implement robust system monitoring to detect crashes or abnormal suspend/resume behavior that could indicate exploitation attempts. 7) Maintain up-to-date inventories of kernel versions and drivers in use to facilitate rapid response to similar vulnerabilities.