PatchSiren cyber security CVE debrief
CVE-2024-35811 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's Broadcom FullMAC (brcmfmac) Wi-Fi driver, specifically within the `brcmf_cfg80211_detach` function. This flaw occurs during the teardown of the wireless configuration interface, where a memory region may be accessed after it has been freed, leading to potential system instability or denial of service. The vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem with the brcmfmac driver. Local attackers with low privileges could exploit this flaw to trigger a denial of service condition. No patch is currently available from the vendor; mitigation relies on restricting access to trusted personnel and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security engineers, and asset owners deploying Siemens SIMATIC S7-1500 TM MFP with the GNU/Linux subsystem should prioritize this vulnerability. Organizations in manufacturing, process control, and critical infrastructure sectors relying on this platform for edge computing or data processing applications are affected. Security teams responsible for patch management in air-gapped or latency-sensitive OT environments should monitor for vendor updates while implementing compensating controls.
Technical summary
The vulnerability resides in the `brcmf_cfg80211_detach` function of the Broadcom FullMAC wireless driver (brcmfmac) in the Linux kernel. During the detachment and cleanup of the cfg80211 wireless configuration interface, a race condition or improper sequencing can result in a use-after-free condition. The affected memory object, typically a wiphy (wireless PHY) structure or associated configuration data, may be referenced after deallocation. This manifests as a local denial of service through kernel panic or system instability. The attack requires local access with low privileges and no user interaction. The vulnerability does not impact confidentiality or integrity per the CVSS vector.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted, verified applications are built and executed on the GNU/Linux subsystem
- Monitor for anomalous process behavior or system crashes that may indicate exploitation attempts
- Subscribe to Siemens ProductCERT security advisories for notification when a security patch becomes available
- Review and apply CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
Evidence notes
The vulnerability was disclosed in the Linux kernel and subsequently included in CISA's ICS advisory ICSA-24-102-01, which was initially published on 2024-04-09 and has undergone multiple revisions through 2025-09-09 to incorporate additional CVEs. Siemens has confirmed affected status for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity and low privileges required, resulting in high availability impact. No known exploitation in ransomware campaigns has been reported.
Official resources
-
CVE-2024-35811 CVE record
CVE.org
-
CVE-2024-35811 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09