PatchSiren cyber security CVE debrief
CVE-2024-49894 Siemens CVE debrief
CVE-2024-49894 is a buffer overflow vulnerability in the Linux kernel's AMD display driver subsystem, specifically within the `cm_helper_translate_curve_to_degamma_hw_format` function in `drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c`. The vulnerability occurs when an index variable 'i' exceeds the bounds of the `TRANSFER_FUNC_POINTS` array, leading to out-of-bounds access on the `output_tf->tf_pts.red`, `green`, and `blue` arrays. This was detected by the smatch static analysis tool, which identified potential buffer overflow conditions where index 1025 could be accessed against the array bounds. The vulnerability has been resolved in the Linux kernel with a bounds check that returns false if the index exceeds valid limits. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system product. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector with low attack complexity, requiring low privileges but no user interaction, with high impacts to confidentiality, integrity, and availability.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Linux-based industrial control systems, particularly Siemens SIMATIC S7-1500 TM MFP deployments with GNU/Linux subsystems. System administrators managing AMD GPU-equipped Linux workstations and servers. OT security teams responsible for patch management in manufacturing and critical infrastructure environments.
Technical summary
The vulnerability exists in `cm_helper_translate_curve_to_degamma_hw_format()` where an unbounded loop index 'i' can exceed `TRANSFER_FUNC_POINTS` (1024 elements), causing out-of-bounds write to `output_tf->tf_pts` color channel arrays. The fix implements a bounds check: if `i >= TRANSFER_FUNC_POINTS`, the function returns false to prevent the overflow. This is a classic off-by-one or unbounded iteration vulnerability in graphics driver color management code, exploitable for local privilege escalation on systems with AMD GPUs.
Defensive priority
HIGH
Recommended defensive actions
- Apply Linux kernel updates containing the fix for CVE-2024-49894 when available from your distribution vendor
- For Siemens SIMATIC S7-1500 TM MFP systems, limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources on affected systems
- Monitor vendor security advisories for patch availability from Siemens and Linux distribution maintainers
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability was identified through static analysis (smatch) in the AMD display driver code path. The fix adds explicit bounds checking before array access. Siemens CSAF advisory SSA-265688 and CISA ICSA-24-102-01 document this as affecting industrial control systems with embedded Linux subsystems.
Official resources
-
CVE-2024-49894 CVE record
CVE.org
-
CVE-2024-49894 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09