PatchSiren cyber security CVE debrief
CVE-2024-56631 Siemens CVE debrief
A use-after-free vulnerability in the Linux kernel's SCSI generic (sg) driver affects Siemens SIMATIC S7-1500 TM MFP industrial control systems. The flaw resides in sg_release(), where improper sequencing of resource cleanup and mutex operations can lead to slab-use-after-free conditions. Discovered by syzbot with KASAN detection, this vulnerability allows a local attacker with low privileges to potentially achieve code execution, confidentiality breach, or system availability impact. The CVSS 3.1 score of 7.8 reflects high impacts across confidentiality, integrity, and availability with local attack vector and low attack complexity. No patch is currently available from Siemens for the affected GNU/Linux subsystem.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, critical infrastructure defenders, and organizations with embedded Linux systems in operational technology environments
Technical summary
The vulnerability exists in the SCSI generic (sg) driver's sg_release() function in the Linux kernel. A race condition between resource cleanup and mutex operations permits access to freed slab memory. The flaw was detected by Google's syzbot fuzzing infrastructure using Kernel Address Sanitizer (KASAN). Successful exploitation requires local access with low privileges and no user interaction. The upstream Linux kernel fix ensures proper sequencing of cleanup operations to prevent use-after-free conditions. Siemens has not yet released a patch for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem as of the latest advisory update.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and execute only applications from trusted sources
- Monitor for anomalous process behavior or unexpected kernel panics on affected systems
- Apply Siemens security updates when released per advisory ICSA-24-102-01
- Implement network segmentation to limit access to affected industrial control systems
Evidence notes
Vulnerability confirmed through syzbot KASAN detection with validated fix in upstream Linux kernel. Siemens CSAF advisory ICSA-24-102-01 documents affected product. No known exploitation in the wild.
Official resources
-
CVE-2024-56631 CVE record
CVE.org
-
CVE-2024-56631 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09