PatchSiren cyber security CVE debrief
CVE-2024-27396 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's GTP (GPRS Tunneling Protocol) network subsystem. The flaw occurs in the gtp_dellink function where call_rcu is invoked during an hlist_for_each_entry_rcu traversal outside of an RCU read critical section. This timing window allows the RCU grace period to complete during iteration, potentially freeing memory while still being accessed. The vulnerability has been resolved by changing the traversal to hlist_for_each_entry_safe. Siemens has identified this as affecting certain industrial networking products running SINEC OS, with a vendor fix available in version 3.1 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Linux-based industrial networking equipment, particularly Siemens SCALANCE and RUGGEDCOM products with SINEC OS. System administrators maintaining GTP-enabled Linux kernels. OT security teams responsible for patch management in industrial control environments.
Technical summary
The vulnerability stems from improper RCU (Read-Copy-Update) synchronization in the Linux kernel's GTP (GPRS Tunneling Protocol) implementation. Specifically, in gtp_dellink, the hlist_for_each_entry_rcu macro is used to traverse a hash list, but call_rcu is invoked within this traversal without RCU read-side protection. Since call_rcu schedules deferred freeing, the RCU grace period may elapse during iteration, causing the 'key' structure to be freed while the traversal continues. The fix replaces hlist_for_each_entry_rcu with hlist_for_each_entry_safe, which permits safe removal during iteration. This is a classic RCU UAF pattern where the grace period window is not properly accounted for in the traversal logic.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected Siemens industrial networking products
- For Linux kernel deployments, ensure kernel version includes the fix for net: gtp: Use-After-Free in gtp_dellink
- Review and validate RCU synchronization patterns in custom GTP implementations
- Monitor CISA ICS advisories for additional affected product announcements
- Implement network segmentation for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability description is sourced from the Linux kernel commit message resolving the issue, as reflected in CISA CSAF advisory ICSA-25-226-15. Siemens ProductCERT advisory SSA-613116 provides affected product and remediation information. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability.
Official resources
-
CVE-2024-27396 CVE record
CVE.org
-
CVE-2024-27396 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12