PatchSiren cyber security CVE debrief
CVE-2024-26973 Siemens CVE debrief
A vulnerability in the Linux kernel's FAT filesystem implementation could allow information disclosure through uninitialized memory in file handles. When `fat_encode_fh_nostale()` encodes a file handle without a parent, it stores only 10 bytes, but the handle length must be a multiple of 4 bytes, leaving the last 2 bytes uninitialized. This uninitialized memory could be leaked to userspace. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system. The vulnerability was published on April 9, 2024, and the advisory has been updated multiple times through September 2025 to include additional related CVEs. No patch is currently available from Siemens for this product.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled should assess their exposure. System administrators responsible for industrial control system security should implement the recommended access controls and monitor for patch availability. Security teams should evaluate whether the GNU/Linux subsystem is required for operations and consider disabling it if not essential. Compliance officers in regulated industries should document risk acceptance decisions given the unpatched status of this vulnerability. The vulnerability is not known to be exploited in ransomware campaigns and is not listed in CISA's Known Exploited Vulnerabilities catalog.
Technical summary
The vulnerability exists in the FAT filesystem implementation within the Linux kernel, specifically in the `fat_encode_fh_nostale()` function. When encoding file handles without a parent directory, the function writes 10 bytes of data but the file handle structure requires 12 bytes (multiple of 4). The remaining 2 bytes are left uninitialized, potentially leaking kernel memory contents to userspace when the file handle is returned to user processes. This represents a CWE-457 (Use of Uninitialized Variable) weakness. The upstream Linux kernel has resolved this issue, but Siemens has not yet released a patch for the GNU/Linux subsystem in the SIMATIC S7-1500 TM MFP product.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for updates from Siemens regarding patch availability for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-102-01, which references Siemens security advisory SSA-265688. The issue was resolved in the upstream Linux kernel but remains unpatched in the affected Siemens product. The CVSS vector indicates local attack vector with low attack complexity, requiring low privileges and resulting in high availability impact.
Official resources
-
CVE-2024-26973 CVE record
CVE.org
-
CVE-2024-26973 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public