PatchSiren cyber security CVE debrief
CVE-2024-26923 Siemens CVE debrief
A race condition vulnerability exists in the Linux kernel's AF_UNIX socket implementation, specifically between the garbage collector and the connect() system call. This flaw could allow a local attacker to trigger use-after-free conditions, potentially leading to privilege escalation, information disclosure, or system instability. The vulnerability affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P switches and SCALANCE X-family devices. Siemens has released firmware updates to address this issue.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those deploying RUGGEDCOM RST2428P switches or SCALANCE X-family devices in critical infrastructure environments. OT security teams, network administrators, and asset owners in manufacturing, energy, transportation, and other industrial sectors should prioritize assessment and patching.
Technical summary
The vulnerability stems from a race condition between the AF_UNIX socket garbage collector and the connect() system call in the Linux kernel. When these operations interleave improperly, socket objects may be freed while still in use, creating use-after-free conditions. The garbage collector in AF_UNIX is responsible for cleaning up orphaned socket references, but improper synchronization with active connection attempts can lead to premature object destruction. This affects Siemens industrial networking equipment running SINEC OS, which incorporates the vulnerable Linux kernel components. The high attack complexity (AC:H) reflects the timing-dependent nature of race condition exploitation, while the local attack vector (AV:L) indicates the attacker must have local access to the target system.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected SCALANCE and RUGGEDCOM devices
- Review network segmentation to limit local access to industrial control systems
- Monitor for anomalous local process behavior on affected devices
- Implement defense-in-depth strategies per CISA ICS recommended practices
- Verify patch deployment across all affected product families including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families
Evidence notes
The vulnerability was disclosed in CISA advisory ICSA-25-226-15 on 2025-08-12, with subsequent updates through 2026-02-25. The source advisory underwent multiple revisions, including corrections to affected product lists and removal of rejected CVEs. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a local attack vector with high attack complexity, requiring low privileges but no user interaction, with high impacts across confidentiality, integrity, and availability.
Official resources
-
CVE-2024-26923 CVE record
CVE.org
-
CVE-2024-26923 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12