PatchSiren cyber security CVE debrief
CVE-2024-50058 Siemens CVE debrief
CVE-2024-50058 is a NULL pointer dereference vulnerability in the Linux kernel's serial core subsystem. The issue exists in `uart_shutdown()` where a `uart_port_dtr_rts(uport, false)` call is made without verifying that `uport` is non-NULL, despite a preceding NULL check that acknowledges `uport` can be NULL. This vulnerability is triggered only when the HUPCL (hang up on close) flag is set, which limits its exposure. The flaw was identified through Coverity static analysis (CID 1585130). Siemens has confirmed this vulnerability affects the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system. No patch is currently available from Siemens for this product. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM) with a local attack vector, requiring low privileges and no user interaction, resulting in high availability impact.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Operators of Siemens SIMATIC S7-1500 TM MFP industrial control systems utilizing the GNU/Linux subsystem; security teams managing OT/ICS environments with Linux-based embedded systems; kernel maintainers and developers working with serial subsystem code
Technical summary
The vulnerability resides in `drivers/tty/serial/serial_core.c` in the Linux kernel's UART shutdown path. When `uart_shutdown()` is called with the HUPCL flag set in `c_cflag`, the code path executes `uart_port_dtr_rts(uport, false)` without validating that `uport` is non-NULL. A preceding NULL check added in commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part 3) demonstrates that `uport` can legitimately be NULL in this context, yet the DTR/RTS manipulation was not moved inside the protective conditional. This results in a NULL pointer dereference when the HUPCL-controlled code path is taken with a NULL `uport`. The vulnerability is local-only, requires low privileges, and causes denial of service (system crash) through the high availability impact vector.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Build and execute only applications from trusted sources on affected systems
- Monitor for kernel updates from Siemens that address this vulnerability in the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review serial port configurations and minimize use of HUPCL where operationally feasible
Evidence notes
The vulnerability description indicates this is a defensive coding issue where a NULL pointer check was added in commit af224ca2df29 but the subsequent `uart_port_dtr_rts()` call was not protected. The Coverity CID 1585130 reference confirms static analysis identification. Siemens CSAF data confirms affected product and no fix availability.
Official resources
-
CVE-2024-50058 CVE record
CVE.org
-
CVE-2024-50058 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09