PatchSiren cyber security CVE debrief
CVE-2024-26598 Siemens CVE debrief
A use-after-free (UAF) vulnerability in the Linux kernel's KVM ARM64 vGIC-ITS (Virtual Generic Interrupt Controller - Interrupt Translation Service) subsystem could allow a malicious guest VM to corrupt memory or escalate privileges. The flaw exists in the LPI (Locality-specific Peripheral Interrupt) translation cache implementation, where improper synchronization may lead to accessing freed memory. This affects Siemens industrial networking products running SINEC OS, which incorporates the vulnerable Linux kernel code. The vulnerability was resolved in the upstream Linux kernel. Siemens has issued security advisory SSA-613116 addressing this issue for affected SCALANCE and RUGGEDCOM product families.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens industrial networking equipment with SINEC OS, particularly SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches and RUGGEDCOM RST2428P devices. Also relevant to any organization operating KVM-based virtualization on ARM64 platforms with untrusted guest workloads.
Technical summary
The vulnerability exists in the KVM (Kernel-based Virtual Machine) subsystem for ARM64 architectures, specifically within the Virtual Generic Interrupt Controller Interrupt Translation Service (vGIC-ITS) component. The LPI (Locality-specific Peripheral Interrupt) translation cache implementation contains a use-after-free condition where memory may be accessed after it has been freed, potentially allowing a malicious guest virtual machine to corrupt host memory or achieve privilege escalation. This is a hypervisor-level vulnerability affecting systems running virtualized workloads on ARM64 hardware. The fix involves proper synchronization in the LPI translation cache to prevent the UAF condition.
Defensive priority
high
Recommended defensive actions
- Apply vendor patches from Siemens ProductCERT advisory SSA-613116 when available
- Update SINEC OS on affected SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and RUGGEDCOM RST2428P devices to a fixed version
- Review KVM configurations on ARM64 systems to limit untrusted guest VM execution where patching is not immediately feasible
- Monitor for anomalous guest VM behavior or hypervisor crashes that may indicate exploitation attempts
- Implement network segmentation for industrial control systems per CISA ICS recommended practices
Evidence notes
The vulnerability description indicates a resolved UAF condition in KVM ARM64 vGIC-ITS LPI translation cache. CISA CSAF advisory ICSA-25-226-15 (published 2025-08-12, modified 2026-02-25) covers Siemens SINEC OS products. The advisory's threat assessment categorizes impact as 'Misinformed' for affected product IDs. Siemens ProductCERT advisory SSA-613116 is the primary vendor source. No CVSS score or severity is available in the supplied corpus. The CVE was published 2025-08-12 and last modified 2026-02-25.
Official resources
-
CVE-2024-26598 CVE record
CVE.org
-
CVE-2024-26598 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12