PatchSiren cyber security CVE debrief
CVE-2024-26894 Siemens CVE debrief
A memory leak vulnerability exists in the ACPI processor_idle subsystem within the Linux kernel. The flaw occurs in acpi_processor_power_exit(), where allocated memory is not properly freed during error paths or module exit conditions. This affects the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP industrial control devices. The vulnerability is classified as MEDIUM severity with a CVSS 3.1 score of 5.5, indicating local attack vector with low attack complexity and privileges required, resulting in high availability impact. No confidentiality or integrity impacts are associated with this flaw. The vulnerability was published on April 9, 2024, and the advisory has been updated multiple times through September 2025 to include additional related CVEs. No patch is currently available from the vendor.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP programmable logic controllers with the GNU/Linux subsystem enabled should prioritize this advisory. System integrators and OT security teams managing industrial automation environments with these devices need to assess exposure, particularly where multiple users or untrusted applications may access the Linux subsystem. Asset owners in critical infrastructure sectors using affected devices for process control should implement compensating controls pending vendor patch availability.
Technical summary
The vulnerability resides in the Linux kernel's ACPI processor_idle driver, specifically in the acpi_processor_power_exit() function. This function handles cleanup during CPU power state transitions and module removal. The memory leak occurs when dynamically allocated structures for CPU idle states are not properly deallocated during certain exit paths. On affected Siemens SIMATIC S7-1500 TM MFP devices, which incorporate a GNU/Linux subsystem for extended functionality, repeated triggering of the vulnerable code path could lead to memory exhaustion. The attack requires local access with low privileges, making it primarily a concern for multi-user scenarios or compromised application contexts within the embedded Linux environment. The high availability impact rating reflects potential system instability or denial of service through resource exhaustion.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and run applications exclusively from trusted sources
- Monitor for vendor security updates from Siemens for future patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review and implement ICS-CERT recommended practices for securing embedded Linux subsystems
Evidence notes
Evidence derived from CISA CSAF advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. The vulnerability description and CVSS vector are sourced directly from the CSAF document. Vendor and product attribution confirmed through CSAF product tree with high confidence.
Official resources
-
CVE-2024-26894 CVE record
CVE.org
-
CVE-2024-26894 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public