PatchSiren cyber security CVE debrief
CVE-2024-0584 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's IGMP (Internet Group Management Protocol) implementation, specifically in the `igmp_start_timer` function within `net/ipv4/igmp.c`. The flaw occurs when processing IGMP query packets, where improper reference counting can lead to a use-after-free condition. This vulnerability allows a local attacker to trigger a kernel information leak by observing reference count inconsistencies during IGMP query packet handling. The issue affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE switch families. CISA published advisory ICSA-25-226-15 on August 12, 2025, with subsequent updates through February 25, 2026, to correct affected product listings and incorporate Siemens ProductCERT guidance. The vulnerability is classified under CWE-416 (Use After Free).
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices running SINEC OS. System administrators responsible for industrial control system security, network engineers managing segmented industrial networks, and security teams monitoring for kernel-level vulnerabilities in embedded Linux systems should prioritize assessment.
Technical summary
The vulnerability resides in the `igmp_start_timer` function in `net/ipv4/igmp.c` of the Linux kernel network subsystem. When an IGMP query packet is received, improper handling of reference counts can result in a use-after-free condition. This flaw is exploitable by a local user and results in kernel information leakage through observation of reference count inconsistencies. The attack requires local access to send or receive IGMP query packets on the affected system.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-613116 for detailed product-specific guidance and patch availability
- Apply vendor-provided firmware updates for affected SINEC OS devices when available
- Implement network segmentation to limit exposure of industrial control system devices
- Monitor for anomalous IGMP traffic patterns that may indicate exploitation attempts
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Assess exposure of affected SCALANCE and RUGGEDCOM devices to untrusted local users
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The advisory underwent multiple revisions: initial publication on 2025-08-12, corrections to affected products on 2026-02-12, removal of rejected CVEs on 2026-02-24, and final republication on 2026-02-25. The source indicates this vulnerability affects SINEC OS-based products including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices.
Official resources
-
CVE-2024-0584 CVE record
CVE.org
-
CVE-2024-0584 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12