PatchSiren cyber security CVE debrief
CVE-2024-47706 Siemens CVE debrief
A use-after-free (UAF) vulnerability exists in the Linux kernel's Budget Fair Queueing (BFQ) I/O scheduler. The flaw occurs when I/O from a process traverses a merge chain of BFQ queues (bfqq), causing the code to incorrectly associate a bfqq with a Block I/O Context (BIC) that no longer owns it. Specifically, when Process 1 obtains bfqq2 from BIC1, then acquires bfqq3 through a merge chain, the I/O is ultimately handled by bfqq3. However, the current code erroneously treats bfqq2 as still owned by BIC1 (as in its initial state) and sets bfqq2->bic to BIC1, leading to a use-after-free condition. This vulnerability was resolved in the Linux kernel. The issue affects Siemens SIMATIC S7-1500 TM MFP devices that utilize the GNU/Linux subsystem.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP programmable controllers with the GNU/Linux subsystem enabled, particularly in industrial automation and critical infrastructure environments where system availability is paramount. Security teams responsible for OT/ICS asset protection and patch management should prioritize monitoring for vendor updates.
Technical summary
The vulnerability resides in the block layer BFQ (Budget Fair Queueing) I/O scheduler of the Linux kernel. When I/O requests traverse a merge chain of BFQ queues, the scheduler fails to properly track ownership transitions between Block I/O Contexts (BICs) and their associated queue structures (bfqq). After a merge chain operation where bfqq2 is obtained from BIC1 and then bfqq3 is acquired through merging, the I/O is handled by bfqq3, but the code incorrectly maintains bfqq2->bic pointing to BIC1. This stale pointer reference creates a use-after-free condition when the BIC or queue structure is subsequently freed. The KASAN instrumentation trace confirms allocation through kmem_cache_alloc_node in the ioc_create_icq path, indicating the slab-allocated nature of the affected structures.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for Siemens SIMATIC S7-1500 TM MFP when available, per Siemens security advisory SSA-265688
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and execute only applications from trusted sources on affected devices
- Monitor for anomalous I/O scheduler behavior or system instability that may indicate exploitation attempts
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability description is derived from the official CVE record and CISA CSAF advisory ICSA-24-102-01. The KASAN stack trace indicates memory allocation via kmem_cache_alloc_node in ioc_create_icq, confirming the slab allocation context for the affected BIC structures. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, low privileges required, and high availability impact.
Official resources
-
CVE-2024-47706 CVE record
CVE.org
-
CVE-2024-47706 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09