CVE-2024-53075 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's handling of CPU device nodes during cache leaf population. The issue arises from improper reference counting of CPU device nodes when ACPI (Advanced Configuration and Power Interface) is enabled. Initially, the kernel code fetched the CPU device node at the start of the cache leaf population process. However, when ACPI is enabled, the code path returns early without calling 'of_node_put' to decrement the reference count of the acquired device node. This omission leads to a bad reference count, which can cause resource leaks or inconsistent kernel state. Additionally, the original function did not check for errors when acquiring the device node, potentially allowing the function to proceed with invalid or null pointers. The patch moves the initialization of the CPU device node acquisition past the ACPI-specific code block, ensuring that 'of_node_put' is always called for the acquired node, thus maintaining correct reference counting. It also adds error handling to return -ENOENT if the device node acquisition fails. This vulnerability is a memory/resource management flaw rather than a direct code execution or privilege escalation issue. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The affected versions correspond to specific Linux kernel commits prior to the fix. The vulnerability is relevant primarily to Linux systems running on RISC-V architectures with ACPI enabled, which is a relatively niche but growing segment in the Linux ecosystem.

For European organizations, the impact of CVE-2024-53075 is likely limited but should not be dismissed. The vulnerability could lead to kernel instability or resource leaks on RISC-V Linux systems, potentially causing system crashes or degraded performance. This may affect servers, embedded devices, or specialized computing environments using RISC-V processors. While RISC-V adoption in Europe is emerging, it is not yet widespread in mainstream enterprise infrastructure. However, sectors involved in research, academia, telecommunications, or industrial control systems experimenting with RISC-V may be at risk. The vulnerability does not appear to allow privilege escalation or remote code execution, so the confidentiality and integrity of data are less likely to be directly compromised. The primary concern is availability and system reliability. Organizations relying on RISC-V Linux systems should be aware of this issue to avoid unexpected downtime or instability that could disrupt operations or critical services.

To mitigate CVE-2024-53075, organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring the fix that corrects the reference counting and adds error handling is included. 2) For systems running RISC-V Linux kernels, verify whether ACPI is enabled and assess the necessity of this feature; if not required, consider disabling ACPI to reduce exposure. 3) Monitor kernel logs and system stability metrics for signs of resource leaks or crashes that could indicate exploitation or manifestation of the bug. 4) Implement rigorous testing and validation of kernel updates in development or staging environments before deployment to production to prevent regressions. 5) Maintain an inventory of RISC-V Linux systems within the organization to ensure all affected devices are identified and updated promptly. 6) Engage with Linux distribution vendors or maintainers to confirm that the patched kernel versions are integrated into official releases used by the organization.