PatchSiren cyber security CVE debrief
CVE-2024-43834 Siemens CVE debrief
A vulnerability in the Linux kernel's XDP (eXpress Data Path) subsystem could cause system instability when network drivers using page pools are torn down. The issue stems from an invalid wait context when `page_pool_destroy()` is called under `rcu_read_lock()`, leading to a potential deadlock or warning condition. Siemens has confirmed this affects the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial controller. No patch is currently available from the vendor.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP controllers in industrial environments, particularly those utilizing the GNU/Linux subsystem for custom networking applications or XDP-based packet processing. System administrators responsible for maintaining availability of industrial control systems should prioritize access controls until patches are available.
Technical summary
The vulnerability is a kernel-level synchronization issue in the XDP subsystem's page pool destruction path. When XDP-enabled network drivers tear down, the `xdp_unreg_mem_model()` function calls `page_pool_destroy()` while holding `rcu_read_lock()`. This function path attempts to acquire `mutex_lock()` through `mem_allocator_disconnect()`, violating Linux kernel locking rules that prohibit sleeping while in RCU read-side critical sections. The result is an invalid wait context warning and potential system instability. The issue affects the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP industrial controllers, which use a Linux-based environment for running custom applications alongside the primary PLC runtime.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and run only applications from trusted sources
- Monitor for kernel warning messages related to page pool or RCU lock contexts
- Apply vendor patches when released by Siemens
- Review network driver configurations for XDP-enabled interfaces
Evidence notes
The vulnerability exists in the interaction between XDP memory model registration and page pool destruction. When a driver registers an XDP memory model with `xdp_rxq_info_reg_mem_model()`, the page pool reference count increases to 2. Proper teardown requires calling both `page_pool_destroy()` and `xdp_unreg_mem_model()`. However, `xdp_unreg_mem_model()` internally calls `page_pool_destroy()` while holding `rcu_read_lock()`, and `page_pool_destroy()` attempts to acquire `mutex_lock()` via `mem_allocator_disconnect()`. This creates an invalid wait context that triggers kernel warnings and potential instability. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity, requiring low privileges but resulting in high availability impact.
Official resources
-
CVE-2024-43834 CVE record
CVE.org
-
CVE-2024-43834 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09