PatchSiren cyber security CVE debrief
CVE-2024-53166 Siemens CVE debrief
CVE-2024-53166 is a high-severity use-after-free in the Linux block I/O BFQ scheduler path that Siemens and CISA tied to SIMATIC S7-1500 CPU 1518 MFP variants. The issue is described as a race in bfq_limit_depth() that can dereference a freed bfqq object when an io_context is shared by multiple tasks. Siemens’ advisory states that no fix is currently available and recommends restricting access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel and only running software from trusted sources.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, plant engineers, and security teams responsible for the affected Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP / 1518F-4 PN/DP MFP / SIPLUS variants should review this immediately, especially if the embedded GNU/Linux subsystem is used or reachable by trusted users.
Technical summary
The source advisory and CVE description identify a Linux BFQ scheduler use-after-free in bfq_limit_depth(). The vulnerable flow dereferences bfqq from bic without holding bfqd->lock, while other bfqq set/remove operations are protected by that lock. According to the provided CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), exploitation is local, requires low privileges, and can impact confidentiality, integrity, and availability. The advisory maps the weakness to CWE-416 and notes that it affects multiple Siemens SIMATIC S7-1500 CPU product variants.
Defensive priority
High. The advisory lists no fix available, the CVSS score is 7.8 (HIGH), and the affected products are industrial control system devices. Prioritize compensating controls and exposure reduction, especially where shell access to the embedded GNU/Linux subsystem exists.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources.
- Inventory the affected Siemens product variants listed in the advisory and confirm whether they are deployed in your environment.
- Monitor the Siemens ProductCERT advisory and the CISA republished advisory for any future remediation updates.
- Treat the affected subsystem as a higher-risk administrative surface and apply least-privilege access controls where possible.
Evidence notes
Source data states: CVE-2024-53166 is a bfq_limit_depth() use-after-free caused by dereferencing bfqq from bic without bfqd->lock; the issue can occur when io_context is shared by multiple tasks. The supplied advisory metadata lists Siemens product variants affected, says 'Currently no fix is available,' and provides the mitigations to restrict shell access and use trusted software sources. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Publication timing is based on the provided CVE/source dates: published 2025-06-10 and modified 2026-05-14.
Official resources
-
CVE-2024-53166 CVE record
CVE.org
-
CVE-2024-53166 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA ICS Advisory ICSA-25-162-05 on 2025-06-10, with the latest CISA republication update on 2026-05-14 based on Siemens ProductCERT advisory SSA-082556.