PatchSiren cyber security CVE debrief
CVE-2024-26883 Siemens CVE debrief
A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem affects the stackmap overflow check on 32-bit architectures. The flaw could allow a local attacker with low privileges to cause a denial of service (system crash) due to an improper overflow check. Siemens has confirmed this vulnerability affects the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control device. The vulnerability was published on April 9, 2024, and the advisory has been updated multiple times through September 2025 to include additional CVEs affecting the same product line. No patch is currently available from Siemens; mitigation relies on restricting access to trusted personnel and running only trusted applications.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled, particularly those in critical infrastructure sectors. System administrators responsible for securing OT/ICS environments and maintaining availability of industrial automation systems should prioritize access controls and monitoring for this vulnerability.
Technical summary
The vulnerability exists in the BPF subsystem's stackmap implementation on 32-bit architectures. An improper overflow check in the stackmap code path could be triggered by a local attacker with low privileges, resulting in a denial of service condition. The flaw is classified under CWE-20 (Improper Input Validation). The affected product is the SIMATIC S7-1500 TM MFP, specifically its GNU/Linux subsystem, which incorporates the vulnerable Linux kernel component. No firmware update is currently available to address this vulnerability.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed on the GNU/Linux subsystem
- Monitor for anomalous BPF-related activity or system crashes that could indicate exploitation attempts
- Apply defense-in-depth strategies including network segmentation for industrial control systems per CISA recommended practices
- Subscribe to Siemens ProductCERT security advisories for notification when a patch becomes available
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-102-01, which references Siemens security advisory SSA-265688. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. The CWE-20 (Improper Input Validation) classification is referenced in the source advisory.
Official resources
-
CVE-2024-26883 CVE record
CVE.org
-
CVE-2024-26883 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This vulnerability was disclosed through coordinated disclosure via CISA and Siemens. The initial advisory (ICSA-24-102-01) was published on April 9, 2024, with subsequent updates adding related CVEs through September 2025.