PatchSiren cyber security CVE debrief
CVE-2024-50150 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's USB Type-C alternate mode (altmode) driver. The altmode device release function references its parent device without holding a reference to it, creating a race condition where the parent device may be freed before the altmode release completes. This flaw was resolved by adding proper reference counting: obtaining a reference to the parent during altmode registration and releasing it in the altmode's release function. The vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem. Local attackers with low privileges can exploit this to achieve high confidentiality, integrity, and availability impact. No patch is currently available from the vendor; mitigations focus on restricting access to trusted personnel and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem; Linux kernel maintainers working on USB Type-C subsystem; OT security teams managing embedded Linux deployments in manufacturing environments
Technical summary
The vulnerability stems from improper memory management in drivers/usb/typec/class.c. The altmode device structure's release callback accesses parent device fields without holding a reference, violating kernel device model conventions. When the parent device is unregistered and freed before altmode release completes, the dangling pointer dereference can trigger kernel panic or be exploited for code execution. The fix implements proper kref management: device_get_parent() during registration with corresponding put_device() in the release path. This is a classic reference counting bug pattern in Linux driver development.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Ensure all applications built and executed on affected systems originate from trusted sources
- Monitor for anomalous local process activity that may indicate exploitation attempts
- Apply vendor-supplied kernel updates when released by Siemens
- Review and implement CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
Vulnerability description and resolution details sourced from CISA ICS advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high impact. Vendor remediation status indicates no fix available as of advisory publication.
Official resources
-
CVE-2024-50150 CVE record
CVE.org
-
CVE-2024-50150 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09