PatchSiren cyber security CVE debrief
CVE-2024-35886 Siemens CVE debrief
CVE-2024-35886 is a vulnerability in the Linux kernel's IPv6 networking subsystem that could cause a denial of service through infinite recursion. The flaw exists in fib6_dump_done(), which could recursively call itself during netlink socket destruction under specific fault conditions, eventually exhausting the kernel stack and causing a crash. The vulnerability was triggered when a netlink dump operation for IPv6 routing information failed at memory allocation (kzalloc()), leaving a callback function pointer in an inconsistent state. When the socket was later destroyed, the callback mechanism would recursively invoke fib6_dump_done(), which would restore the same callback pointer from saved arguments, creating an infinite loop until the stack guard page was hit. The fix involves setting the destructor callback only after successful memory allocation to prevent this state inconsistency. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem in SIMATIC S7-1500 TM MFP industrial control devices. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity) with a local attack vector, low attack complexity, and low privileges required, with high impact on availability. No patch is currently available from Siemens; mitigations focus on restricting access to the interactive shell and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
System administrators managing Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled; security teams responsible for OT/ICS infrastructure; Linux kernel maintainers and distributors packaging kernel versions prior to the fix
Technical summary
The vulnerability stems from improper callback state management in the Linux kernel's IPv6 forwarding information base (FIB) dump mechanism. When inet6_dump_fib() fails during kzalloc() due to memory pressure or fault injection, the fib6_dump_done() callback is already registered in nlk_sk(sk)->cb.done but the cleanup state in cb.args[3] points to the same function. During netlink socket destruction, fib6_dump_done() calls fib6_dump_end(), which restores cb.done from cb.args[3], creating a self-referential loop. Each recursive call consumes stack space until the guard page is reached, triggering a kernel oops or panic. The fix relocates the destructor assignment to occur only after successful memory allocation, ensuring state consistency.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Ensure only applications from trusted sources are built and executed on the GNU/Linux subsystem
- Monitor for kernel crashes or stack overflow indicators in system logs that may indicate exploitation attempts
- Apply vendor patches when released by Siemens
- Review and implement CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
Vulnerability description and technical details sourced from CISA CSAF advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. The vulnerability was originally discovered by syzkaller and fixed in the upstream Linux kernel. Siemens product impact confirmed through CSAF product tree with high confidence.
Official resources
-
CVE-2024-35886 CVE record
CVE.org
-
CVE-2024-35886 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09