PatchSiren cyber security CVE debrief
CVE-2024-26974 Siemens CVE debrief
A race condition vulnerability exists in the Linux kernel's Intel QuickAssist Technology (QAT) crypto driver during Advanced Error Reporting (AER) recovery. The flaw occurs when concurrent operations access shared state during PCIe error recovery, potentially leading to memory corruption or use-after-free conditions. This affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem with QAT hardware acceleration. The vulnerability requires local access with low privileges, but successful exploitation could result in high impact to confidentiality, integrity, and availability. No patch is currently available from the vendor; affected organizations should apply access controls and operational mitigations.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, and critical infrastructure defenders using Siemens SIMATIC S7-1500 TM MFP devices with enabled GNU/Linux subsystems. Organizations in manufacturing, energy, and process industries relying on these PLCs for automation should prioritize access restrictions and monitoring. Security architects designing ICS networks with embedded Linux components should evaluate QAT driver exposure. Patch management teams should track Siemens security advisories for future remediation availability.
Technical summary
The vulnerability resides in the crypto/qat driver within the Linux kernel, specifically during Advanced Error Reporting (AER) recovery procedures for Intel QuickAssist Technology hardware. A race condition emerges when the driver handles PCIe error recovery events while concurrent cryptographic operations are in progress. The flaw stems from improper synchronization of shared state between the error recovery path and normal operational paths. Attackers with local access and low privileges can trigger this condition, potentially causing memory corruption, use-after-free scenarios, or denial of service. The attack complexity is rated high due to timing requirements, but successful exploitation yields complete compromise of system confidentiality, integrity, and availability. The affected product is the GNU/Linux subsystem within Siemens SIMATIC S7-1500 TM MFP programmable logic controllers, which incorporate QAT acceleration for cryptographic workloads.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and execute only applications from trusted sources
- Monitor for anomalous process behavior or unexpected system crashes on affected devices
- Implement network segmentation to limit lateral movement from compromised endpoints
- Apply defense-in-depth controls per ICS-CERT recommended practices pending vendor patch availability
Evidence notes
CVE published 2024-04-09 per official CVE record. CISA ICS advisory ICSA-24-102-01 published same date. Siemens CSAF advisory SSA-265688 cross-referenced. CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H confirmed from source. CWE-367 (Time-of-check Time-of-use Race Condition) identified in source references. No KEV listing. No known ransomware campaign use documented.
Official resources
-
CVE-2024-26974 CVE record
CVE.org
-
CVE-2024-26974 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09