CVE-2024-26885 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with enabled GNU/Linux subsystems, particularly those deploying custom BPF applications on 32-bit ARM architectures. Industrial control system operators with embedded Linux environments using eBPF/XDP networking stacks should assess exposure.

Technical summary

The vulnerability exists in kernel/bpf/devmap.c where devmap_hash_map_alloc() calculates hash bucket counts. The original code performed overflow detection after rounding max_entries to the next power of two using roundup_pow_of_two(), which on 32-bit architectures executes a left shift that may itself overflow. The fix relocates overflow validation prior to the rounding operation, ensuring proper bounds checking before any undefined behavior can occur. The crash condition requires local access to create BPF maps with specifically crafted max_entries values exceeding 0x80000000.

Defensive priority

HIGH

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications exclusively from trusted sources
• Monitor for kernel updates from Siemens addressing this vulnerability
• Assess exposure of 32-bit ARM-based deployments using BPF maps with large max_entries values
• Review BPF map configurations for DEVMAP_HASH instances with max_entries approaching or exceeding 0x80000000

Evidence notes

Vulnerability confirmed in Linux kernel BPF devmap code. Syzbot reproduction demonstrated crash on arm32 architecture. Siemens CSAF advisory ICSA-24-102-01 confirms affected product status with no fix available as of last advisory update 2026-05-14.

Official resources