CVE-2024-35848 Siemens CVE debrief

Who should care

Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, or RUGGEDCOM RST2428P industrial networking equipment; Linux kernel maintainers and embedded systems developers using the at24 EEPROM driver; OT security teams responsible for firmware lifecycle management in industrial environments.

Technical summary

The at24 driver in the Linux kernel's EEPROM subsystem contained a race condition where device registration and teardown could interleave with concurrent driver access. When EEPROM hardware is inaccessible, the driver path was: register nvmem device → read fails → tear down device. A concurrent driver accessing the nvmem device after teardown but before complete cleanup would reference freed memory. The resolution restructures initialization to validate EEPROM accessibility before registering the nvmem device, eliminating the window for the race condition.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates to SINEC OS V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products
• Review product security advisories from Siemens ProductCERT for deployment guidance
• Implement network segmentation for industrial control systems per CISA recommended practices
• Monitor for anomalous system behavior indicating potential memory corruption in EEPROM-dependent subsystems

Evidence notes

CVE published 2025-08-12; modified 2026-02-25. Source advisory ICSA-25-226-15 published same date with multiple revisions through 2026-02-25. Siemens ProductCERT SSA-613116 is the canonical vendor advisory. CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N indicates network attack vector with high attack complexity, no confidentiality/integrity/availability impact scored.

Official resources