CVE-2024-41049 Siemens CVE debrief

Who should care

Operators and maintainers of Siemens SIMATIC S7-1500 TM MFP - BIOS systems, OT/embedded Linux administrators, and security teams responsible for controlling local code execution on affected devices.

Technical summary

The supplied source describes a Linux kernel bug in posix_lock_inode where a request pointer is changed to reference a lock entry on the inode list, but another task can race in and free that lock before trace_posix_lock_inode() runs, triggering a KASAN UAF warning. Siemens’ advisory ties this CVE to SIMATIC S7-1500 TM MFP - BIOS and gives CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High). The stated remediation is to move the tracepoint inside the spinlock, and the advisory notes that no fix was available at publication.

Defensive priority

High

Recommended defensive actions

• Review the Siemens CSAF advisory and associated product guidance for SIMATIC S7-1500 TM MFP - BIOS.
• Apply the vendor-documented workaround: only build and run applications from trusted sources.
• Limit local access and reduce opportunities for untrusted code execution on affected systems.
• Track Siemens and upstream Linux kernel advisories for a vendor fix and deploy it promptly when available.
• Follow CISA ICS recommended practices and defense-in-depth guidance for OT environments.

Evidence notes

Primary evidence comes from the CISA CSAF source item (ICSA-25-072-03), published 2025-03-11 and modified 2025-09-09, which includes the Linux kernel UAF description, the Siemens product association, the CVSS vector, and the remediation status. Siemens’ linked CSAF/HTML advisory references the same issue and the same remediation language. The later 2025-09-09 modification in the source history should not be treated as the CVE issue date; the disclosure date is 2025-03-11.

Official resources