CVE-2024-26924 Siemens CVE debrief

Who should care

System administrators managing Linux-based network infrastructure, particularly those using nftables for packet filtering and classification; security teams responsible for industrial control systems and operational technology networks using Siemens SCALANCE, RUGGEDCOM, or SINEC OS products; kernel maintainers and developers working with netfilter/nftables implementations; organizations relying on timeout-based nftables sets for dynamic access control or rate limiting.

Technical summary

The vulnerability exists in the nft_set_pipapo.c implementation of the Linux kernel's netfilter framework. The pipapo (Pile of Packets) set type is used for high-performance packet classification with support for timeout-based element expiration. The flaw manifests in the element removal path when: (1) multiple elements exist with identical keys, which occurs when a new element is inserted while an existing same-key element has timed out or is marked inactive for the next generation; (2) the nft_pipapo_remove() function performs a lookup and marks an element inactive; (3) during the second removal step, the function may unmap a different element than the one deactivated, due to insufficient validation that the fully matching key corresponds to the deactivated element. This error leaves the actually-deactivated element reachable in the set structure (stale pointer) while the non-deactivated element becomes unreachable (memory leak). Subsequent lookups retrieving the stale element can trigger kernel crashes. The fix adds explicit verification that the key-to-element mapping matches the deactivated element before proceeding with unmapping, plus bug/warn assertions to catch invalid removal attempts.

Defensive priority

MEDIUM

Recommended defensive actions

• Apply vendor-provided kernel updates to address the nft_set_pipapo use-after-free condition
• For Siemens SINEC OS and affected SCALANCE/RUGGEDCOM products, update to V3.1 or later as specified in vendor security advisory
• Monitor nftables set operations for abnormal patterns involving rapid element addition and removal with short timeouts
• Implement network segmentation to limit exposure of netfilter/nftables interfaces to untrusted networks
• Review and restrict administrative access to nftables configuration to reduce attack surface
• Consider enabling kernel memory sanitizers (KASAN) in test environments to detect similar use-after-free conditions during validation

Evidence notes

The vulnerability description is derived from the Linux kernel commit message resolving the issue, as cited in CISA advisory ICSA-25-226-15 and Siemens ProductCERT SSA-613116. The technical analysis of the two-step removal process and key collision scenario is based on the detailed commit notes provided in the source corpus. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H yields a base score of 5.9 (MEDIUM), reflecting network attack vector but high attack complexity due to the specific timing conditions required.

Official resources