CVE-2024-58093 is a vulnerability in the Linux kernel related to the handling of PCI Express Active State Power Management (ASPM) link state during the removal of upstream functions on PCIe switches with Multi-Function Device (MFD) configurations. The issue arises from improper timing in freeing the ASPM parent link state when functions on the PCIe bus are removed. Initially, the ASPM link was freed only after the last function on the bus was removed, which led to use-after-free conditions if function 0 was removed before sibling functions, causing the downstream pointer to reference freed memory. A subsequent patch attempted to free the ASPM parent link state upon any function removal, but this was premature for PCIe switches with MFD on the upstream port, as other downstream ports still referenced the parent link, leading to general protection faults (GPFs), especially during hot-unplug operations where devices are removed in reverse order. The final resolution was to free the ASPM link exactly when function 0 is removed—after all subordinate links are gone but before the parent link becomes obsolete. This fix prevents use-after-free and GPFs during device removal sequences. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes and is particularly relevant for systems using PCIe switches with MFD configurations. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, especially those operating data centers, telecommunications infrastructure, or industrial control systems relying on Linux-based servers and embedded systems with PCIe hardware, this vulnerability could cause system instability or crashes during hardware hot-unplug events. The use-after-free and resulting general protection faults can lead to kernel panics or system reboots, impacting availability and potentially causing downtime. While there is no indication of direct confidentiality or integrity compromise, the disruption of critical systems could affect business continuity and operational reliability. Organizations running Linux kernels with affected versions on hardware platforms utilizing PCIe switches with MFD are at risk. This is particularly relevant in sectors with high hardware churn or dynamic hardware configurations, such as cloud providers, telecom operators, and manufacturing facilities. The absence of known exploits reduces immediate risk, but the vulnerability's nature means that improper device removal sequences could inadvertently trigger system failures, impacting service availability.

Organizations should promptly update their Linux kernel to versions that include the fix for CVE-2024-58093. Kernel updates should be tested in staging environments to ensure compatibility with existing PCIe hardware configurations, especially those involving PCIe switches with MFD. For environments where immediate patching is not feasible, administrators should minimize hot-unplug operations or ensure that device removal sequences follow the correct order, removing function 0 last to avoid triggering the vulnerability. Monitoring kernel logs for general protection faults or related errors during device removal can help detect attempts to exploit or inadvertently trigger the issue. Additionally, hardware vendors and system integrators should verify firmware and driver compatibility with patched kernels to prevent regressions. Implementing robust change management and hardware maintenance procedures that account for this vulnerability will reduce the risk of system crashes. Finally, organizations should maintain up-to-date inventories of hardware using PCIe switches with MFD to identify potentially affected systems.