PatchSiren cyber security CVE debrief
CVE-2024-36974 Siemens CVE debrief
CVE-2024-36974 is a medium-severity vulnerability (CVSS 5.5) in the Linux kernel's taprio network scheduler, affecting the Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The flaw exists in the `taprio_parse_mqprio_opt()` function within `net/sched/taprio.c`, where improper validation of the `TCA_TAPRIO_ATTR_PRIOMAP` attribute allows userspace to inject arbitrary data into the kernel on subsequent calls to `taprio_change()`. The vulnerability stems from a state-dependent validation bypass: an initial call with valid attributes sets `dev->num_tc` to a non-zero value, causing a second call with malicious mqprio attributes to return early from validation without proper checks, potentially leading to denial of service conditions. Published on April 9, 2024, and last modified on May 14, 2026, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Siemens has not released a patch as of the advisory date; mitigations focus on restricting access to the GNU/Linux subsystem's interactive shell to trusted personnel only and ensuring only applications from trusted sources are built and executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security engineers, and asset owners deploying Siemens SIMATIC S7-1500 TM MFP with the GNU/Linux subsystem enabled. Organizations utilizing time-sensitive networking (TSN) features with taprio scheduling should prioritize access controls until a patch is available.
Technical summary
The vulnerability resides in the taprio (Time-Aware Priority Shaper) network scheduler implementation in the Linux kernel. The `taprio_parse_mqprio_opt()` function fails to consistently validate the `TCA_TAPRIO_ATTR_PRIOMAP` attribute across multiple invocations. When `taprio_change()` is called initially with valid attributes, `dev->num_tc` is set to a non-zero value. On a subsequent call with arbitrary or malicious mqprio attributes, the function returns early from `taprio_parse_mqprio_opt()` due to the existing non-zero `dev->num_tc` state, bypassing validation and allowing injection of arbitrary data into kernel structures. This state-dependent validation flaw can result in undefined behavior and denial of service. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects a local attack scenario requiring low privileges with high availability impact.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the SIMATIC S7-1500 TM MFP GNU/Linux subsystem to authorized personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed on affected systems
- Monitor for anomalous network scheduler configuration changes or repeated taprio interface modifications
- Apply defense-in-depth strategies per ICS-CERT recommended practices for industrial control systems
- Subscribe to Siemens ProductCERT security advisories for patch availability notifications
Evidence notes
Vulnerability description and product impact derived from CISA CSAF advisory ICSA-24-102-01. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, low privileges required, and high availability impact. No confidentiality or integrity impact per CVSS scoring.
Official resources
-
CVE-2024-36974 CVE record
CVE.org
-
CVE-2024-36974 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09