PatchSiren cyber security CVE debrief
CVE-2024-35905 Siemens CVE debrief
An integer overflow vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier could allow out-of-bounds memory access. The flaw occurs when stack access size calculations overflow their signed integer representation, resulting in negative values that bypass safety checks. This specifically affects the check_stack_range_initialized() function in the BPF verifier, where a missing protection allowed non-sensical access sizes to cause out-of-bounds array accesses. The vulnerability was inadvertently introduced when a prior safety check was removed in kernel commit a833a17aeac7. While other protections typically prevent such conditions, one code path lacked adequate safeguards. The issue affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem with BPF functionality. Local attackers with low privileges could potentially achieve high impact including confidentiality, integrity, and availability compromises. No patch is currently available from the vendor; mitigations focus on restricting access to trusted personnel and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with GNU/Linux subsystems enabled. Security teams managing OT/ICS environments with BPF-dependent applications. System administrators responsible for kernel security in embedded industrial platforms.
Technical summary
The BPF verifier in the Linux kernel fails to properly validate stack access sizes when integer overflow causes signed int wraparound to negative values. This occurs in check_stack_range_initialized() where a previously removed safety check allowed non-sensical negative access sizes to propagate, resulting in out-of-bounds array accesses during program verification. The vulnerability is local, requires low privileges, and has high impact potential.
Defensive priority
high
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and execute only applications from trusted sources
- Monitor for anomalous BPF program loading attempts
- Apply vendor security updates when available
- Implement defense-in-depth controls per ICS-CERT recommended practices
Evidence notes
CVE published 2024-04-09 per official CVE record. CISA ICS advisory ICSA-24-102-01 published same date. Siemens advisory SSA-265688 cross-referenced. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirmed from source. Root cause: integer overflow in BPF stack access size calculation leading to negative size values. Affected function: check_stack_range_initialized(). Historical context: safety check inadvertently removed in commit a833a17aeac7.
Official resources
-
CVE-2024-35905 CVE record
CVE.org
-
CVE-2024-35905 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09