CVE-2024-26891 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly in industrial automation and manufacturing environments. System administrators responsible for securing OT/ICS environments should prioritize access controls given the absence of an available patch.

Technical summary

The vulnerability exists in the Linux kernel's Intel VT-d IOMMU driver. When a device is disconnected, the kernel may still attempt to issue an ATS (Address Translation Services) Invalidation request. This improper state handling can trigger a denial of service condition. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high availability impact. The vulnerability is classified as CWE-20 (Improper Input Validation).

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications exclusively from trusted sources
• Monitor for kernel-level IOMMU-related errors in system logs
• Apply defense-in-depth strategies for industrial control system environments per CISA guidance
• Subscribe to Siemens ProductCERT security advisories for patch availability notifications

Evidence notes

The vulnerability was disclosed in CISA ICS Advisory ICSA-24-102-01 on April 9, 2024, with subsequent advisory updates through September 2025 adding related CVEs to the same product security notice. The source advisory explicitly states that currently no fix is available for this vulnerability in the affected Siemens product.

Official resources