PatchSiren cyber security CVE debrief
CVE-2024-26901 Siemens CVE debrief
A kernel information leak vulnerability exists in the Linux kernel's `do_sys_name_to_handle()` function. The issue stems from the use of `kmalloc()` without proper initialization, which can expose uninitialized kernel memory to user space. The vulnerability has been resolved by switching to `kzalloc()` to ensure zero-initialization of allocated memory. This vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network accessibility with low attack complexity, requiring no privileges or user interaction, with availability impact as the primary concern. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled should prioritize this vulnerability. System administrators responsible for OT/ICS environments, security teams managing industrial control system security postures, and compliance officers tracking CVE remediation for critical infrastructure assets should monitor this issue. The vulnerability is particularly relevant for environments where the GNU/Linux subsystem is exposed to network access or where untrusted code execution is possible.
Technical summary
The vulnerability exists in the Linux kernel function `do_sys_name_to_handle()`, which is used to obtain a file handle from a pathname. The original implementation used `kmalloc()` to allocate memory for the file handle structure without zero-initializing the allocated memory. This can result in kernel information leakage to user space, as uninitialized memory may contain sensitive kernel data. The fix replaces `kmalloc()` with `kzalloc()`, which zero-initializes the allocated memory, preventing information disclosure. The vulnerability is remotely exploitable with low complexity and requires no authentication, though the confidentiality impact is none per the CVSS scoring, with availability impact rated as low.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for Siemens security advisories for future patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-102-01, which references the Linux kernel fix for kernel-infoleak in `do_sys_name_to_handle()`. The affected product is explicitly identified as Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L is provided in the source advisory. The source advisory indicates no fix is currently available as of the last modification date (2026-05-14).
Official resources
-
CVE-2024-26901 CVE record
CVE.org
-
CVE-2024-26901 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09