PatchSiren cyber security CVE debrief
CVE-2024-35976 Siemens CVE debrief
CVE-2024-35976 is a medium-severity vulnerability (CVSS 6.7) affecting the Linux kernel's XDP socket (xsk) subsystem, specifically involving improper validation of user input for XDP_UMEM_COMPLETION_FILL_RING operations. The vulnerability was published on April 9, 2024, and last modified on May 14, 2026. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem within its SIMATIC S7-1500 TM MFP industrial control product. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS vector of AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating local attack vector, high attack complexity, no privileges required, no user interaction, and high impact to confidentiality and integrity but no availability impact. As of the latest advisory update, no patch is available from Siemens. The vendor recommends limiting access to the interactive shell of the GNU/Linux subsystem to trusted personnel only and ensuring that only applications from trusted sources are built and executed. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been reported.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial controllers with the GNU/Linux subsystem enabled should prioritize this vulnerability. OT security teams, industrial control system administrators, and asset owners in manufacturing, process control, and critical infrastructure sectors using this specific Siemens product family should assess their exposure and implement recommended mitigations until a patch becomes available. Security teams responsible for vulnerability management in converged IT/OT environments should track this advisory for updates.
Technical summary
The vulnerability exists in the Linux kernel's AF_XDP socket implementation where user input for XDP_UMEM_COMPLETION_FILL_RING operations is not properly validated. This can lead to out-of-bounds write conditions. The affected component is the GNU/Linux subsystem embedded within Siemens SIMATIC S7-1500 TM MFP industrial controllers. The attack requires local access with high complexity, making exploitation more difficult but potentially granting high confidentiality and integrity impact if successful. No availability impact is associated with this vulnerability per the CVSS vector.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted, verified applications are built and executed on the GNU/Linux subsystem
- Monitor CISA ICS advisories and Siemens ProductCERT security advisories for patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA recommended practices
- Review and assess network segmentation to limit exposure of affected devices
- Establish monitoring for anomalous activity on affected systems pending patch availability
Evidence notes
Vulnerability description and affected product information sourced from CISA CSAF advisory ICSA-24-102-01. CVSS scoring and vector details provided in source metadata. Remediation status and vendor recommendations extracted from CSAF remediations section. Timeline information derived from CVE published and modified dates per source metadata.
Official resources
-
CVE-2024-35976 CVE record
CVE.org
-
CVE-2024-35976 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09