CVE-2024-35996: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-35996 affects the Linux kernel and involves CPU mitigations configuration. The vulnerability was discovered in May 2024 and relates to the re-enabling of CPU mitigations by default for non-X86 architectures. The issue arose from a recent commit that incorrectly turned mitigations off by default when SPECULATION_MITIGATIONS=n was set (Kernel Git).

The vulnerability stems from a configuration mismatch where 'cpumitigations' is generic but was being controlled by the x86-specific 'SPECULATIONMITIGATIONS' setting. The fix involved renaming x86's configuration to CPU_MITIGATIONS, defining it in generic code, and forcing it on for all architectures except x86. This change allows x86 to manage mitigations that aren't strictly related to speculative execution (Kernel Git).

The vulnerability could potentially leave non-x86 architectures without proper CPU mitigations enabled by default, which could expose systems to various CPU-level security vulnerabilities. This affects the overall security posture of affected systems, particularly those running on non-x86 architectures (Kernel Git).

The issue has been fixed by renaming the configuration option and ensuring proper default settings. The fix includes modifying the kernel configuration to use CPUMITIGATIONS instead of SPECULATIONMITIGATIONS, with appropriate defaults for all architectures. Systems should be updated to include this fix (Kernel Git, Debian LTS).

The vulnerability was reported by multiple kernel developers including Stephen Rothwell, Michael Ellerman, and Geert Uytterhoeven. The fix received acknowledgments from key kernel developers, including Josh Poimboeuf and Borislav Petkov from AMD (Kernel Git).