PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-35877 Siemens CVE debrief

CVE-2024-35877 is a medium-severity vulnerability in the Linux kernel's x86 Page Attribute Table (PAT) memory management subsystem, specifically affecting Copy-on-Write (COW) mappings. The flaw, published on 2024-04-09 and last modified on 2026-05-14, stems from improper handling of VM_PAT in COW scenarios where page table entries (PTEs) can be replaced during write faults to point at anonymous folios. The follow_phys() function fails to reliably recover the correct physical frame number (PFN) and cache mode in these mappings, potentially returning incorrect address and protection information from anon folios or failing on swap/non-swap entries. This failure triggers WARN_ON_ONCE() assertions in untrack_pfn() and track_pfn_copy(), leading to improper calls to free_pfn_range()—either skipping memtype_free() entirely or invoking it with incorrect ranges, resulting in possible memory leaks. The vulnerability carries a CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating local attack vector with low attack complexity, low privileges required, and high availability impact. Siemens has identified this vulnerability as affecting the SIMATIC S7-1500 TM MFP industrial control system's GNU/Linux subsystem, with no patch currently available as of the source advisory ICSA-24-102-01. The kernel fix modifies follow_phys() to reject anonymous folios and falls back to using vma->vm_pgoff for COW mappings, though fork() operations may fail if the first page was replaced by an anon folio.

Vendor
Siemens
Product
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

System administrators and security engineers managing Siemens SIMATIC S7-1500 TM MFP industrial control systems with GNU/Linux subsystems; OT security teams responsible for kernel-level vulnerability management in industrial environments; Linux kernel maintainers and distributors packaging x86 PAT subsystem updates; compliance officers tracking CVE remediation status for critical infrastructure assets

Technical summary

The vulnerability exists in the Linux kernel's x86/mm/pat subsystem where VM_PAT handling fails during Copy-on-Write (COW) mapping operations. When PTEs are replaced with anonymous folios during write faults, follow_phys() cannot reliably determine the correct PFN and cache mode. This causes failures in untrack_pfn() and track_pfn_copy(), leading to improper free_pfn_range() execution with potential memtype_free() skips or incorrect range parameters, resulting in memory leaks. The fix introduces checks to reject anonymous folios in follow_phys() and uses vma->vm_pgoff as fallback for COW mappings, with fork() failing when anon folio replacement prevents cache mode recovery.

Defensive priority

medium

Recommended defensive actions

  • Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
  • Implement application whitelisting to ensure only trusted, verified applications are built and executed on affected systems
  • Monitor for kernel WARN_ON_ONCE() messages related to untrack_pfn() or track_pfn_copy() as potential indicators of exploitation attempts
  • Apply defense-in-depth strategies for industrial control systems per CISA recommended practices pending vendor patch availability
  • Review and update incident response procedures for industrial environments where kernel memory management anomalies are detected

Evidence notes

Vulnerability description and technical details sourced from CISA CSAF advisory ICSA-24-102-01 and CVE.org record. Affected product identification confirmed through CSAF product tree with high confidence. CVSS vector and score derived from official NVD and source advisory data. Remediation status and vendor attribution from Siemens security advisory SSA-265688 cross-referenced in CISA advisory.

Official resources

2024-04-09