CVE-2024-58008 is a vulnerability identified in the Linux kernel related to the handling of trusted keys within the DCP (Data Co-Processor) crypto driver when the kernel is configured with vmalloc stack addresses enabled (CONFIG_VMAP_STACK=y). The issue arises from improper use of the sg_init_one() function with vmalloc'd stack buffers, specifically the plain_key_blob buffer used during encryption and decryption of blob encryption keys. The improper use of sg_init_one() with vmalloc'd buffers can lead to crashes in the DCP trusted keys subsystem. The root cause is that sg_init_one() expects physically contiguous memory, which vmalloc'd buffers do not guarantee, leading to improper scatter-gather list initialization. The fix implemented involves replacing vmalloc'd stack buffers with kmalloc()-allocated buffers for the data passed to the DCP crypto driver, ensuring proper memory handling and preventing crashes. This vulnerability affects specific Linux kernel versions identified by commit hashes, and it is relevant only when the kernel is built with CONFIG_VMAP_STACK enabled, a configuration that randomizes stack addresses for security. No known exploits are reported in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-58008 depends largely on their use of Linux systems with the CONFIG_VMAP_STACK=y configuration and reliance on the DCP crypto driver for trusted key operations. The vulnerability can cause kernel crashes (denial of service) during encryption or decryption operations involving trusted keys, potentially disrupting critical services that depend on secure key management and cryptographic operations. This could affect servers, embedded devices, or specialized hardware running Linux kernels with this configuration. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting system instability or downtime could impact availability and operational continuity, especially in environments requiring high reliability such as financial institutions, healthcare, and critical infrastructure. Since no known exploits exist yet, the immediate risk is moderate, but organizations should prioritize patching to prevent potential future exploitation. The vulnerability also highlights the importance of secure kernel configuration and memory management in cryptographic subsystems.

European organizations should take the following specific actions: 1) Identify Linux systems running kernels with CONFIG_VMAP_STACK enabled and using the DCP crypto driver for trusted keys. 2) Apply the official Linux kernel patches that replace vmalloc'd stack buffers with kmalloc()-allocated buffers as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If patching is not immediately possible, consider disabling CONFIG_VMAP_STACK or the DCP crypto driver if feasible and if it does not impact critical functionality, as a temporary mitigation. 4) Monitor system logs and kernel crash reports for signs of instability related to trusted key operations. 5) Implement robust kernel update and configuration management processes to ensure timely deployment of security fixes. 6) Engage with hardware and software vendors to confirm the impact on embedded devices or specialized Linux-based systems and coordinate patching efforts. 7) Conduct testing in controlled environments before deploying patches in production to avoid unintended disruptions.