PatchSiren cyber security CVE debrief
CVE-2024-27052 Siemens CVE debrief
CVE-2024-27052 is a HIGH severity vulnerability (CVSS 3.1: 8.8) in the Linux kernel's rtl8xxxu Wi-Fi driver, affecting Siemens SIMATIC S7-1500 TM MFP industrial control systems with GNU/Linux subsystems. The flaw involves a race condition where the c2hcmd_work workqueue may continue running after the driver is stopped, potentially leading to use-after-free or memory corruption conditions. Published on 2024-04-09 and last modified on 2026-05-14, this vulnerability has been actively tracked by CISA in advisory ICSA-24-102-01, which has undergone nine revision cycles through September 2025 as Siemens and CISA continued adding related CVEs to the product security notice. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been documented. Siemens has not released a patch for this issue; the vendor's recommended mitigations focus on access control and supply chain integrity rather than technical remediation.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystems; OT security teams managing Wi-Fi-enabled industrial devices; asset owners awaiting vendor patches for embedded Linux kernel vulnerabilities
Technical summary
The vulnerability exists in the rtl8xxxu USB Wi-Fi driver within the Linux kernel. The driver's c2hcmd_work workqueue, which handles command responses from the device, may not be properly synchronized when the driver is stopped. Without a cancel_work_sync() call to ensure the workqueue has completed before driver teardown, the workqueue could access freed memory or operate on invalid state, leading to potential kernel memory corruption. This condition requires network adjacency or local access to trigger Wi-Fi driver operations followed by driver unload or system state changes.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Implement application whitelisting to ensure only trusted sources are built and executed
- Monitor for anomalous Wi-Fi driver behavior or unexpected workqueue activity on affected systems
- Apply defense-in-depth strategies per CISA ICS recommended practices pending vendor patch availability
- Review Siemens security advisory SSA-265688 for updated remediation guidance
Evidence notes
Vulnerability description and CVSS vector derived from CISA CSAF source ICSA-24-102-01. Vendor attribution to Siemens and product identification as SIMATIC S7-1500 TM MFP - GNU/Linux subsystem confirmed through CSAF product tree with high confidence. Remediation status of 'no fix available' and specific mitigation guidance extracted from source remediations array. Timeline of nine advisory revisions from April 2024 through September 2025 documented in source revision history. KEV status confirmed null in enrichment data.
Official resources
-
CVE-2024-27052 CVE record
CVE.org
-
CVE-2024-27052 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09