CVE-2024-36004 Siemens CVE debrief

Who should care

Operators of Siemens SIMATIC S7-1500 TM MFP systems, industrial control system security teams, OT network defenders, and organizations running Intel i40e-based Ethernet in embedded Linux environments should prioritize monitoring and access restriction measures until a vendor patch is released.

Technical summary

The i40e driver in the Linux kernel incorrectly uses the WQ_MEM_RECLAIM flag when allocating its workqueue. This flag allows the kernel to reclaim memory from the workqueue under memory pressure, but in this driver's context can cause deadlocks because the workqueue may be needed for memory reclaim operations themselves. The vulnerability is local to the system, requiring authenticated access but no user interaction. Exploitation results in denial of service through system hang or crash. The affected product is the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP, an industrial automation platform. No patch is currently available; mitigation relies on access controls and trusted application execution.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run only applications from trusted sources
• Monitor for anomalous process behavior or system hangs indicative of workqueue deadlock
• Apply vendor patches when Siemens releases a fix for this vulnerability
• Segment affected industrial control systems from untrusted networks per ICS-CERT defense-in-depth guidance

Evidence notes

CISA ICS advisory ICSA-24-102-01 documents this vulnerability in Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The advisory explicitly states 'Currently no fix is available' as of the May 2026 revision. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with availability impact only.

Official resources