CVE-2024-26702 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE X-family) should verify their exposure assessment; Linux kernel maintainers and embedded systems developers using the RM3100 magnetometer driver should ensure boundary checks are implemented

Technical summary

The vulnerability exists in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the RM3100 magnetometer driver. The fix adds boundary checking for values read from the RM3100_REG_TMRC register. Without proper bounds validation, register values could potentially cause out-of-bounds access or other undefined behavior. The RM3100 is a 3-axis magnetometer used in various sensing applications. Siemens has determined this vulnerability does not actually affect their reported product lines (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family), classifying the reported impact as 'Misinformed' in their security advisory.

Defensive priority

low

Recommended defensive actions

• Verify current SINEC OS version on affected Siemens devices; versions 3.1 and above are supported
• Review Siemens ProductCERT SSA-613116 for definitive product impact assessment
• Apply standard defense-in-depth practices for industrial control systems per CISA guidance
• Monitor CISA ICS advisories for any future corrections to this vulnerability's scope

Evidence notes

CVE published 2025-08-12; modified 2026-02-25. Siemens ProductCERT SSA-613116 and CISA ICSA-25-226-15 both classify impact as 'Misinformed' for affected product lines. Advisory revision history shows corrections to affected products list on 2026-02-12 and 2026-02-24.

Official resources