CVE-2024-26804 Siemens CVE debrief

Who should care

Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, RUGGEDCOM RST2428P devices, or other affected industrial networking equipment utilizing IP tunnel features. OT security teams and network administrators responsible for critical infrastructure networks should prioritize firmware updates.

Technical summary

The vulnerability exists in the Linux kernel's IP tunnel (net/ip_tunnel) implementation where perpetual headroom growth could occur, potentially leading to resource exhaustion or packet processing issues. The fix prevents unbounded headroom expansion. This affects Siemens industrial networking products that utilize IP tunneling functionality within their SINEC OS operating system.

Defensive priority

medium

Recommended defensive actions

• Review Siemens ProductCERT advisory SSA-613116 for detailed product-specific patch information
• Verify SINEC OS version on affected SCALANCE and RUGGEDCOM devices
• Apply vendor-provided firmware updates to address the underlying Linux kernel vulnerability
• Monitor network traffic for anomalous IP tunnel behavior as a detection control
• Follow CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

Source indicates this vulnerability was resolved in the Linux kernel. The CISA CSAF advisory ICSA-25-226-15 underwent multiple revisions: initial publication (2025-08-12), corrected affected products (2026-02-12), removed rejected CVEs and unsupported version notes (2026-02-24), and final republication based on Siemens ProductCERT SSA-613116 (2026-02-25). Threat category 'Misinformed' assigned to affected product IDs CSAFPID-0001, CSAFPID-0003, CSAFPID-0004.

Official resources