CVE-2024-56695 addresses a vulnerability in the Linux kernel specifically within the AMD GPU driver component, amdkfd, in the function kfd_get_cu_occupancy(). The vulnerability arises from the use of a large statically allocated local array named cu_occupancy on the stack. When the AMDGPU_MAX_QUEUES parameter is large, this static allocation results in excessive stack usage, causing the function's stack frame size to exceed typical safe limits (notably 1056 bytes, which is larger than the 1024-byte warning threshold). This condition can lead to a stack overflow in kernel space, which is a critical security concern because kernel stack overflows can cause system instability, crashes (denial of service), or potentially be exploited to execute arbitrary code with kernel privileges. The fix implemented replaces the static local array with a dynamically allocated array using kcalloc, which allocates memory on the heap rather than the stack, thereby mitigating the risk of stack overflow. The dynamically allocated memory is properly freed with kfree before the function returns, preventing memory leaks. This patch improves the robustness of the kernel driver by managing memory more safely and avoiding excessive stack usage. No known exploits are currently reported in the wild, and the vulnerability was identified through compiler warnings related to frame size. The vulnerability affects Linux kernel versions containing the specified commit (6ae9e1aba97e4cdaa31a0bfdc07497ad0e915c84).

For European organizations, the impact of this vulnerability primarily concerns systems running Linux kernels with AMD GPU drivers, particularly those using the amdkfd component. This includes servers, workstations, and possibly embedded systems that rely on AMD GPUs for compute or graphical workloads. Exploitation of this vulnerability could lead to kernel stack overflow, causing system crashes or denial of service, which can disrupt critical services and operations. In worst-case scenarios, if an attacker can leverage the overflow to execute arbitrary code in kernel mode, it could lead to full system compromise, data breaches, or persistent malware installation. Given the kernel-level nature of the vulnerability, the integrity and availability of affected systems are at risk. Confidentiality could also be impacted if kernel-level code execution is achieved. European organizations in sectors such as finance, manufacturing, research, and government that deploy Linux systems with AMD GPUs are particularly at risk. However, exploitation requires local access or the ability to execute code on the affected system, limiting remote attack vectors. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is now public.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-56695. Specifically, they should ensure that their AMD GPU drivers (amdkfd) are updated to the fixed commit or later. Kernel updates should be tested in staging environments to verify compatibility and stability before deployment. Organizations should audit their systems to identify Linux hosts with AMD GPUs and verify kernel versions. For environments where immediate patching is not feasible, restricting access to systems with AMD GPUs and limiting user privileges can reduce exploitation risk. Monitoring kernel logs for unusual stack overflow warnings or crashes related to amdkfd may provide early detection of attempted exploitation. Additionally, organizations should maintain robust endpoint security controls to prevent unauthorized code execution on Linux hosts. Employing kernel hardening techniques such as stack canaries, kernel address space layout randomization (KASLR), and control-flow integrity (CFI) can further mitigate exploitation impact. Finally, maintaining an up-to-date inventory of hardware and software assets will facilitate rapid response to vulnerabilities affecting specific components like AMD GPU drivers.