PatchSiren cyber security CVE debrief
CVE-2024-26961 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's mac802154 IEEE 802.15.4 subsystem. The flaw occurs in the mac802154_llsec_key_del function where Link Layer Security (LLSEC) key resources are not properly released, leading to potential memory corruption. This vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem. The issue was resolved in the Linux kernel with a fix for proper resource release in the LLSEC key deletion path.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security engineers, and asset owners deploying Siemens SIMATIC S7-1500 TM MFP controllers in manufacturing, process control, or critical infrastructure environments should prioritize assessment and mitigation of this vulnerability.
Technical summary
The vulnerability resides in the mac802154_llsec_key_del function of the Linux kernel's IEEE 802.15.4 MAC layer implementation. When deleting Link Layer Security keys, resources are not properly released, resulting in a use-after-free condition. This memory safety defect can lead to privilege escalation or denial of service on affected systems. The CVSS 3.1 score of 7.8 (HIGH) reflects significant impact potential with local access. Siemens SIMATIC S7-1500 TM MFP industrial controllers running the GNU/Linux subsystem are confirmed affected. No patch is currently available per vendor advisory, requiring operational mitigations until remediation is released.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates for Siemens SIMATIC S7-1500 TM MFP when available, as the advisory currently states no fix is available but Siemens may release updates through their ProductCERT portal
- Restrict access to the interactive shell of the GNU/Linux subsystem to trusted personnel only per vendor mitigation guidance
- Implement application whitelisting to ensure only trusted applications are built and executed on affected systems
- Monitor for anomalous process behavior or unexpected memory-related crashes on affected industrial controllers
- Segment affected ICS devices from untrusted networks using defense-in-depth architecture
- Review and apply CISA ICS recommended practices for industrial control system security
Evidence notes
The vulnerability description indicates a resource release issue in mac802154_llsec_key_del within the Linux kernel's mac802154 subsystem. Siemens has identified this as affecting the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial controllers. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability.
Official resources
-
CVE-2024-26961 CVE record
CVE.org
-
CVE-2024-26961 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09