CVE-2024-50294 is a concurrency-related vulnerability in the Linux kernel's rxrpc subsystem, which handles the RxRPC protocol used primarily by AFS (Andrew File System) and related distributed file systems. The flaw arises from missing locking mechanisms when aborting calls that are queued for connection but not yet processed by the I/O thread. Specifically, if a call is aborted (for example, due to a signal detected by kafs) between the queuing and the I/O thread's processing, the abort operation is prioritized and the call is removed from the local->new_client_calls list without acquiring the necessary client_call_lock. This lack of synchronization can cause a race condition where other calls on the list may disappear unexpectedly, leading to potential call hanging or loss of call state. The root cause is the absence of proper locking when removing a call from the list it is linked to via ->wait_link. The fix involves ensuring that the client_call_lock is held whenever a call is removed from any list, preventing race conditions and ensuring consistent state management. This vulnerability affects Linux kernel versions identified by the commit hash 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d and was publicly disclosed on November 19, 2024. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-50294 depends largely on their use of Linux systems running affected kernel versions and specifically whether they utilize the RxRPC protocol, commonly in environments using AFS or similar distributed file systems. The vulnerability can cause hanging calls or loss of call state, potentially leading to denial of service (DoS) conditions in critical networked file system operations. This can disrupt file access and data availability, impacting business continuity for organizations relying on these systems for file sharing and distributed storage. While this vulnerability does not directly lead to privilege escalation or remote code execution, the induced instability and potential DoS could affect critical infrastructure, especially in sectors such as telecommunications, research institutions, and enterprises with legacy AFS deployments. The absence of known exploits suggests limited immediate risk, but the race condition nature means that exploitation could be triggered under specific workloads or signal conditions, making it a reliability and availability concern.

European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-50294. Since the vulnerability arises from missing locking in the rxrpc subsystem, applying the official kernel patch or upgrading to a kernel version released after November 19, 2024, that contains the fix is essential. Organizations using AFS or related distributed file systems should audit their usage of RxRPC calls and monitor for unusual call hangs or failures. Additionally, system administrators should review kernel logs for anomalies related to rxrpc or call aborts and consider implementing kernel-level monitoring to detect race conditions or locking issues. For environments where immediate patching is not feasible, temporarily disabling or limiting the use of RxRPC-dependent services may reduce exposure. Finally, organizations should maintain robust backup and recovery procedures to mitigate potential data availability impacts caused by call hangs or DoS conditions.