CVE-2024-26688 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial networking equipment should verify their exposure based on Siemens ProductCERT guidance rather than the raw CVE description.

Technical summary

The vulnerability exists in hugetlbs_fill_super() in the Linux kernel's hugetlb filesystem implementation. A NULL pointer dereference could occur during superblock initialization. The issue was resolved upstream. Siemens products running SINEC OS were initially flagged but subsequently assessed as not affected ('Misinformed' impact rating per CISA CSAF threat data).

Defensive priority

low

Recommended defensive actions

• Verify current SINEC OS and firmware versions on affected Siemens industrial networking equipment per vendor guidance
• Review Siemens ProductCERT advisory SSA-613116 for definitive product impact assessment
• Apply vendor-recommended updates for SINEC OS and SCALANCE/RUGGEDCOM firmware as applicable
• Monitor CISA ICS advisories for updates to ICSA-25-226-15

Evidence notes

Source CISA CSAF advisory ICSA-25-226-15 (republished 2026-02-25) indicates Siemens assessed this CVE as 'Misinformed' for affected products. The advisory revision history shows corrections to affected products list and removal of rejected CVEs in subsequent updates.

Official resources