PatchSiren cyber security CVE debrief

CVE-2024-36886 Linux CVE debrief

A use-after-free (UAF) vulnerability exists in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol implementation, specifically within the `tipc_buf_append()` error path. The vulnerability was reported by Sam Page (sam4k) working with Trend Micro Zero Day Initiative. The issue occurs when handling socket buffer (skb) operations during error conditions, where improper memory management leads to accessing freed memory. The vulnerability is present in kernel version 6.8.2 as demonstrated in the KASAN report. Siemens has identified this vulnerability as affecting their SINEC OS-based products including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The CVSS 3.1 score of 8.1 (High) reflects network attack vector with high attack complexity but no required privileges or user interaction, with high impacts to confidentiality, integrity, and availability.

Vendor: Linux
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. System administrators managing Linux kernel-based systems with TIPC protocol enabled. Industrial control system operators relying on TIPC for inter-process communication in critical infrastructure environments. Security teams responsible for network segmentation and protocol filtering in OT/ICS networks.

Technical summary

The vulnerability exists in the TIPC (Transparent Inter-Process Communication) protocol implementation within the Linux kernel. Specifically, in the `tipc_buf_append()` function's error handling path, improper management of socket buffer (skb) references leads to a use-after-free condition. When an error occurs during buffer appending operations, the code may free an skb structure while retaining a reference that is subsequently accessed. The KASAN-detected crash occurs in `kfree_skb_list_reason()` with a read of size 8 at a freed slab address. The call chain shows the vulnerability is reachable through the TIPC UDP receive path (`tipc_udp_recv()` → `tipc_rcv()` → `tipc_link_rcv()` → `tipc_link_input()` → `tipc_buf_append()`), making it remotely exploitable via crafted TIPC over UDP packets. The vulnerability affects Siemens industrial networking products running SINEC OS, which incorporates the vulnerable Linux kernel components.

Defensive priority

high

Recommended defensive actions

Apply vendor-provided updates to V3.1 or later version for affected Siemens SINEC OS products per Siemens ProductCERT guidance
For Linux kernel deployments, ensure kernel version includes the TIPC UAF fix in the tipc_buf_append() error path
Implement network segmentation to restrict TIPC protocol access to authorized systems only
Monitor for anomalous TIPC traffic patterns that may indicate exploitation attempts
Apply defense-in-depth strategies for industrial control systems per CISA recommended practices

Evidence notes

The vulnerability was resolved in the Linux kernel with a fix to the TIPC error path. The KASAN report shows the UAF occurring in `kfree_skb_list_reason()` during skb deallocation, with the call trace originating from `tipc_buf_append()` → `tipc_link_input()` → `tipc_link_rcv()` → `tipc_rcv()` → `tipc_udp_recv()`, indicating the vulnerability can be triggered via UDP-based TIPC communication. Siemens ProductCERT advisory SSA-613116 provides vendor-specific impact and remediation guidance.

Official resources

2025-08-12