CVE-2024-36894 Linux CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial networking equipment should verify their firmware status against vendor advisories, though this specific CVE is assessed as not affecting these products.

Technical summary

The vulnerability exists in the Linux kernel's USB gadget Function Filesystem (f_fs) driver where a race condition can occur between asynchronous I/O cancellation (`aio_cancel()`) and AIO request completion. This type of race condition typically manifests as use-after-free or double-free memory corruption scenarios. However, per the source advisory's threat assessment, this vulnerability has been categorized as 'Misinformed' for the Siemens products originally listed, indicating that upon further analysis, the products are not actually vulnerable to this issue. The advisory covering Siemens SINEC OS and related industrial networking products was updated on 2026-02-25 to reflect this corrected assessment.

Defensive priority

low

Recommended defensive actions

• Verify that affected Siemens product configurations are updated to the latest firmware versions as specified in vendor security advisories
• Review network segmentation for industrial control systems to limit exposure of USB gadget interfaces
• Monitor vendor security advisories for any reassessment of this vulnerability's impact
• Apply standard defense-in-depth practices for industrial control systems per CISA guidance

Evidence notes

The source advisory (ICSA-25-226-07) explicitly marks this CVE with threat category 'impact' and details 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The revision history indicates corrections were made on 2026-02-12 to move entries from Affected Products to Known Not Affected Products.

Official resources