PatchSiren cyber security CVE debrief

CVE-2024-40995 Linux CVE debrief

CVE-2024-40995 describes a possible infinite loop condition in the Linux kernel's network traffic control subsystem, specifically within the `tcf_idr_check_alloc()` function in `net/sched/act_api.c`. This vulnerability resides in the kernel's traffic classifier action API, which is used to manage packet filtering and traffic shaping rules. An infinite loop in this context could lead to a denial-of-service condition by causing a CPU hang when processing network traffic control operations. The vulnerability was initially published on August 12, 2025, and subsequently modified on February 25, 2026, as part of CISA's republication of Siemens ProductCERT advisory SSA-355557. Siemens has assessed this CVE as 'Misinformed' for its affected product lines, indicating that after analysis, the vulnerability does not actually impact the listed products as originally suspected. This determination was reached through Siemens' internal product security assessment process. The affected product scope has undergone revision, with the February 2026 updates clarifying configurations and removing several rejected CVEs from consideration. Organizations running Siemens industrial networking equipment should consult the vendor's official security advisory to confirm their specific product configurations and patch status.

Vendor: Linux
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

System administrators managing Linux-based network infrastructure with traffic control policies; security teams responsible for industrial control system (ICS) networks using Siemens networking equipment; kernel maintainers and distribution vendors packaging Linux kernels with net/sched support; network engineers implementing QoS or traffic shaping in critical infrastructure environments

Technical summary

The vulnerability exists in the Linux kernel's traffic control action API (`net/sched/act_api.c`). The `tcf_idr_check_alloc()` function manages IDR (integer ID management) allocations for traffic classifier actions. An infinite loop condition could be triggered during IDR allocation operations, potentially causing CPU exhaustion and denial of service. The IDR mechanism is used for mapping small integers to pointers in the kernel, and failures in this allocation path with improper error handling could lead to unbounded retry loops. This affects systems utilizing the `tc` (traffic control) utility for network QoS, traffic shaping, or packet filtering. Siemens has determined this vulnerability does not affect their listed industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) as originally suspected, classifying the CVE as 'Misinformed' for these products.

Defensive priority

medium

Recommended defensive actions

Verify current patch level against Siemens ProductCERT advisory SSA-355557 for specific product configurations
Review network traffic control (tc) rule configurations on Linux-based systems running traffic shaping or QoS policies
Monitor system CPU utilization for anomalous spikes that could indicate infinite loop conditions in network processing paths
Apply kernel updates from distribution vendors that address net/sched subsystem vulnerabilities
Implement network segmentation to limit exposure of traffic control interfaces to untrusted networks

Evidence notes

CVE published 2025-08-12; modified 2026-02-25 per CISA republication of Siemens SSA-355557. Siemens threat assessment categorizes this CVE as 'Misinformed' for affected products. Source advisory underwent multiple revisions: initial publication (2025-08-12), corrected affected products list (2026-02-12), clarified SCALANCE family configuration and removed rejected CVEs (2026-02-24), and final CISA republication update (2026-02-25).

Official resources

2025-08-12