CVE-2024-26925 Linux CVE debrief

Who should care

System administrators managing Siemens SCALANCE M-series routers, RUGGEDCOM devices, and other industrial networking equipment running affected Linux kernel versions; security teams responsible for industrial control system infrastructure; organizations utilizing netfilter/nf_tables for network packet filtering in critical infrastructure environments.

Technical summary

This vulnerability stems from improper synchronization in the Linux kernel's netfilter nf_tables subsystem. The nf_tables_module_autoload() function in the abort path temporarily releases the commit mutex to load module dependencies, then replays the transaction. However, this release occurred within the critical section bounded by nft_gc_seq_begin() and nft_gc_seq_end(), creating a window where the asynchronous garbage collection worker could collect expired objects and obtain the released commit lock during the same GC sequence. The resolution relocates the mutex release to occur after nft_gc_seq_end() completes, maintaining proper exclusion throughout the garbage collection critical section.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates to version V8.2 or later for affected Siemens SCALANCE and RUGGEDCOM devices
• Monitor vendor security advisories for additional affected product announcements
• Implement network segmentation for industrial control systems to limit exposure
• Follow CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

The vulnerability description indicates this is a kernel-level race condition in netfilter's nf_tables garbage collection mechanism. The issue was resolved by relocating the mutex release operation to occur after nft_gc_seq_end() in the abort path, preventing the async GC worker from interfering with the critical section.

Official resources