CVE-2024-57939 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture implementation. The issue arises from the improper use of spinlock mechanisms within the die() function, which is invoked during exception handling. The die() function takes a spinlock_t type lock, which can sleep when the PREEMPT_RT (Real-Time Preemption) patch is enabled. Sleeping in this context is invalid because exception handlers must not sleep, leading to kernel warnings and potential instability. The warning message indicates that a sleeping function was called from an invalid context, with in_atomic() and irqs_disabled() flags set, which violates kernel locking rules. This can cause kernel oops or crashes due to illegal instructions or improper scheduling behavior. The root cause is that spinlock_t can sleep under PREEMPT_RT, but die() must not sleep. The fix involves switching from spinlock_t to raw_spinlock_t, which does not sleep even with PREEMPT_RT enabled, thereby preserving the atomic and non-sleeping context required in exception handlers. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix and is relevant for systems running the Linux kernel on RISC-V hardware or emulators like QEMU. No known exploits are reported in the wild as of now, and no CVSS score has been assigned yet.

For European organizations, the impact of this vulnerability depends largely on the deployment of Linux systems running on RISC-V architecture with PREEMPT_RT enabled. While RISC-V is an emerging architecture, its adoption in embedded systems, IoT devices, and specialized computing platforms is growing. Organizations using such systems in critical infrastructure, industrial control, or real-time applications could face system instability, unexpected kernel crashes, or denial of service conditions if the vulnerability is triggered. This could lead to downtime, loss of availability, and potential disruption of services. Although the vulnerability does not directly expose confidentiality or integrity risks, the resulting kernel instability could be exploited as a denial-of-service vector or could complicate incident response and recovery. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel exception handling makes it a reliability concern for real-time and safety-critical applications prevalent in sectors such as manufacturing, automotive, and telecommunications within Europe.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically ensuring that the kernel uses raw_spinlock_t in the die() function for RISC-V architectures with PREEMPT_RT enabled. For systems where immediate patching is not feasible, organizations should audit their use of PREEMPT_RT on RISC-V platforms and consider disabling PREEMPT_RT temporarily if the risk of kernel crashes outweighs real-time performance needs. Additionally, organizations should implement robust monitoring for kernel oops, warnings, and crashes to detect any manifestation of this issue early. Testing kernel updates in staging environments that replicate production RISC-V workloads is recommended to validate stability. Vendors and integrators deploying RISC-V Linux systems should communicate this fix to customers and ensure firmware and kernel updates are distributed promptly. Finally, organizations should maintain an inventory of devices running RISC-V Linux kernels to assess exposure and prioritize remediation efforts accordingly.