PatchSiren cyber security CVE debrief
CVE-2024-35899 Siemens CVE debrief
A race condition vulnerability exists in the Linux kernel's netfilter nf_tables subsystem, specifically affecting the SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The flaw occurs when pending destroy workqueue operations race against the exit_net path during module removal, potentially causing use-after-free conditions when the destroy workqueue attempts to release elements after the associated set has already been freed. This vulnerability was resolved in the upstream Linux kernel by flushing pending destroy work before exit_net release, similar to a prior fix (commit 2c9f0293280e) that addressed a related race with netlink notifiers. The vulnerability has a CVSS 3.1 score of 6.1 (MEDIUM severity) with local attack vector, low attack complexity, and low privileges required, with potential impacts including confidentiality loss and high availability impact. No patch is currently available for the affected Siemens product; mitigations focus on restricting access to trusted personnel and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly in industrial control system environments where network namespace manipulation or kernel module loading/unloading occurs. System administrators responsible for securing OT/ICS environments and maintaining availability of critical infrastructure systems.
Technical summary
The vulnerability is a race condition in the Linux kernel's netfilter nf_tables subsystem between the destroy workqueue and exit_net path. When a network namespace is destroyed (such as during module removal), the exit_net path may release nf_tables sets before pending destroy workqueue operations complete. This can result in the destroy workqueue attempting to access already-freed memory, causing a use-after-free condition. The fix involves explicitly flushing pending destroy work before releasing resources in the exit_net path, mirroring a previous fix for a similar race condition involving netlink notifiers.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Ensure only applications from trusted sources are built and executed on affected systems
- Monitor for security updates from Siemens for patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
Vulnerability description and resolution details sourced from CISA CSAF advisory ICSA-24-102-01. Affected product identification confirmed through CSAF product tree with high confidence. CVSS vector and scoring derived from official advisory. Remediation status and mitigation guidance extracted from source advisory remediations section.
Official resources
-
CVE-2024-35899 CVE record
CVE.org
-
CVE-2024-35899 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09