PatchSiren cyber security CVE debrief
CVE-2024-26897 Siemens CVE debrief
A race condition in the Linux kernel's ath9k wireless driver could allow a local attacker to cause a denial of service. The vulnerability exists because ath9k_wmi_event_tasklet() may execute before device initialization is complete, leading to use of uninitialized data structures. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates this requires local access, low privileges, and high attack complexity, with availability impact as the primary concern. Siemens has identified this as affecting the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial control devices. No patch is currently available; mitigations focus on restricting access to the interactive shell and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP programmable logic controllers with enabled GNU/Linux subsystems and wireless capabilities. Industrial control system operators in manufacturing, process control, and critical infrastructure sectors where these devices are deployed. Security teams responsible for embedded Linux systems using Qualcomm Atheros ath9k wireless chipsets. Asset owners should prioritize this vulnerability if their S7-1500 TM MFP devices expose wireless interfaces or allow user interaction with the GNU/Linux subsystem.
Technical summary
The ath9k wireless driver in the Linux kernel contains a race condition where ath9k_wmi_event_tasklet() may process events before the driver has finished initializing its internal data structures. This timing window can result in dereferencing uninitialized pointers or accessing invalid memory states, causing kernel panics or device crashes. The vulnerability is triggered through local interaction with the wireless subsystem and requires the ability to generate WMI events during the initialization phase. On affected Siemens SIMATIC S7-1500 TM MFP devices, this manifests in the GNU/Linux subsystem where the ath9k driver may be loaded for wireless connectivity. The high attack complexity reflects the narrow timing window and specific conditions required to trigger the race condition.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access on affected SIMATIC S7-1500 TM MFP GNU/Linux subsystems to trusted personnel only
- Implement application allowlisting to ensure only trusted applications are built and executed on affected systems
- Monitor for anomalous wireless driver activity or system crashes that may indicate exploitation attempts
- Apply vendor patches when Siemens releases updated firmware for the GNU/Linux subsystem
- Review and implement CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
CVE published 2024-04-09 per official CVE record. CISA advisory ICSA-24-102-01 published same date. Modified 2026-05-14. CVSS 4.7 (MEDIUM) from NVD. CWE-20 (Improper Input Validation) identified. Affects SIMATIC S7-1500 TM MFP GNU/Linux subsystem only.
Official resources
-
CVE-2024-26897 CVE record
CVE.org
-
CVE-2024-26897 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09