PatchSiren cyber security CVE debrief
CVE-2024-26636 Siemens CVE debrief
A vulnerability in the Linux kernel's Logical Link Control (LLC) protocol implementation, specifically in the llc_ui_sendmsg() function, has been resolved. The fix addresses a race condition where bonding network interface changes could cause instability or unexpected behavior during message transmission. The vulnerability was present in Siemens industrial networking products running affected Linux kernel versions, including RUGGEDCOM RST2428P and SCALANCE X-family switches. CISA published this advisory on August 12, 2025, with subsequent updates through February 25, 2026, including corrections to affected product listings and removal of rejected CVEs. The threat assessment categorizes impact as 'Misinformed' for affected product IDs.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those utilizing RUGGEDCOM RST2428P switches or SCALANCE X-family switches (XC-300/XR-300/XC-400/XR-500WG/XR-500, XCM-/XRM-/XCH-/XRH-300 families) with SINEC OS. System administrators managing bonded network interfaces on Linux-based industrial control systems should prioritize this update. Critical infrastructure operators in manufacturing, energy, and transportation sectors relying on high-availability network configurations are particularly affected.
Technical summary
The vulnerability exists in the Linux kernel's Logical Link Control (LLC) protocol implementation, specifically within the llc_ui_sendmsg() function. The issue involves insufficient robustness when network bonding configuration changes occur during message transmission operations. Bonding (or link aggregation) combines multiple network interfaces into a single logical interface for redundancy and increased bandwidth. Changes to bonding configurations during active LLC socket operations could lead to race conditions, potentially causing system instability, unexpected behavior, or denial of service conditions. The resolution strengthens the function's handling of dynamic network interface changes, ensuring proper state management when underlying bonded interfaces are modified. This vulnerability affects industrial networking equipment where high availability through bonding is commonly deployed.
Defensive priority
medium
Recommended defensive actions
- Apply kernel patches or firmware updates from Siemens ProductCERT advisory SSA-613116 to address the LLC protocol vulnerability
- Verify SINEC OS version is current; note that versions below 3.1 are not supported for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family
- Review network bonding configurations on affected industrial switches to ensure stability during interface changes
- Monitor CISA ICS advisories for additional guidance on industrial control system security practices
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-15. The advisory underwent four revision cycles: initial publication (2025-08-12), corrected affected products (2026-02-12), removed rejected CVEs and unsupported version notes (2026-02-24), and final CISA republication based on Siemens ProductCERT SSA-613116 (2026-02-25). Vendor attribution confirmed via CSAF product tree with high confidence. Impact categorization of 'Misinformed' derived from CSAF threats field.
Official resources
-
CVE-2024-26636 CVE record
CVE.org
-
CVE-2024-26636 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12