PatchSiren cyber security CVE debrief
CVE-2024-26581 Siemens CVE debrief
A vulnerability in the Linux kernel's netfilter subsystem, specifically within the nft_set_rbtree module, has been identified and resolved. The issue involves improper garbage collection (GC) handling of end interval elements in the red-black tree data structure used for nftables sets. When garbage collection processes these end interval elements incorrectly, it can lead to use-after-free conditions or memory corruption, potentially causing system instability or privilege escalation. The vulnerability affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE X-family switches. CISA published this advisory on August 12, 2025, with subsequent updates through February 25, 2026, including corrections to affected product listings and removal of rejected CVEs. The fix involves modifying the garbage collection routine to properly skip end interval elements during cleanup operations.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, and RUGGEDCOM RST2428P switches. System administrators managing OT/ICS environments with Linux-based network appliances, security teams responsible for industrial control system hardening, and compliance officers tracking CVE remediation for critical infrastructure assets should prioritize this advisory.
Technical summary
The vulnerability exists in the Linux kernel's netfilter nft_set_rbtree implementation, which uses red-black trees to manage interval-based sets in nftables. The garbage collection routine fails to properly identify and skip end interval elements during cleanup, leading to potential use-after-free or memory corruption conditions. This affects the nft_set_rbtree_gc() function's handling of interval set elements where end markers are incorrectly processed as regular elements. The fix ensures that end interval elements are explicitly excluded from garbage collection operations, preventing premature deallocation of active data structures. Siemens industrial networking products utilizing SINEC OS with affected kernel versions are impacted, particularly those employing nftables for network filtering and NAT operations.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for affected Siemens SCALANCE and RUGGEDCOM devices when available
- Review and implement CISA ICS recommended practices for network segmentation of industrial control systems
- Monitor vendor security advisories for SINEC OS updates addressing this kernel vulnerability
- Implement defense-in-depth strategies for industrial control environments per CISA guidance
- Verify that nftables configurations on affected systems do not expose unnecessary attack surfaces
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The Linux kernel fix resolves improper garbage collection handling in nft_set_rbtree. The advisory underwent multiple revisions: initial publication (2025-08-12), corrected affected products (2026-02-12), removed rejected CVEs and unsupported version notes (2026-02-24), and final CISA republication update (2026-02-25).
Official resources
-
CVE-2024-26581 CVE record
CVE.org
-
CVE-2024-26581 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12