CVE-2024-57940 is a vulnerability identified in the Linux kernel's exFAT filesystem driver. The flaw arises when the exFAT filesystem is corrupted such that a cluster in the cluster chain links to itself, creating a self-referential loop. Additionally, if there exists an unused directory entry within that cluster, the directory entry counter ('dentry') does not increment as expected. This failure prevents the loop termination condition ('dentry < max_dentries') from being met, resulting in an infinite loop during directory reading operations (exfat_readdir()). The infinite loop causes the kernel lock 's_lock' to remain held indefinitely, which in turn causes other kernel tasks, including exfat_sync_fs(), to hang. This effectively leads to a denial of service (DoS) condition on the affected system, as filesystem operations become unresponsive. The patch implemented stops traversing the cluster chain when an unused directory entry is detected in the cluster, thereby preventing the infinite loop from occurring. This vulnerability is specific to the exFAT filesystem implementation in the Linux kernel and requires the filesystem to be corrupted in a particular way to trigger the issue. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily in environments where Linux systems utilize exFAT filesystems, which are commonly used for removable storage devices such as USB drives and SD cards. The infinite loop and resultant kernel lockup can cause system hangs and denial of service, potentially disrupting critical services or workflows that depend on access to exFAT-formatted media. This could impact sectors with high reliance on Linux infrastructure and removable media, such as manufacturing, research institutions, and media production companies. The requirement for a corrupted filesystem to trigger the vulnerability reduces the likelihood of accidental exploitation but does not eliminate the risk of deliberate tampering or malware-induced corruption. In multi-user or multi-process environments, the hang could affect system availability and productivity. Additionally, systems that automatically mount exFAT devices could be vulnerable to DoS if an attacker introduces a maliciously crafted exFAT filesystem. While the vulnerability does not directly lead to privilege escalation or data leakage, the denial of service impact can have significant operational consequences.

European organizations should ensure that Linux kernel versions are updated to include the patch that addresses CVE-2024-57940 as soon as it becomes available. Specifically, kernel updates that fix the exfat_readdir() infinite loop should be applied promptly. Organizations should implement strict controls and scanning of removable media to detect and prevent the introduction of corrupted or maliciously crafted exFAT filesystems. Employing filesystem integrity monitoring tools and restricting automatic mounting of external storage devices can reduce exposure. Additionally, system administrators should monitor kernel logs and system responsiveness for signs of hangs related to exFAT operations. In environments where exFAT usage is not essential, disabling or removing exFAT support can eliminate the attack surface. For critical systems, consider isolating or sandboxing processes that handle external storage to contain potential impacts. Finally, educating users about the risks of using untrusted removable media can help prevent accidental exposure.