PatchSiren cyber security CVE debrief
CVE-2024-35852 Siemens CVE debrief
A memory leak vulnerability exists in the Linux kernel's Mellanox Spectrum switch driver (mlxsw) within the ACL TCAM rehash work handling. The issue occurs when ACL region dismantle cancels a pending rehash work that has associated allocation hints, causing those hints to leak. The root cause stems from a logic change where non-negative credit counts no longer reliably indicate migration completion, allowing pending work with allocated hints to exist during cancellation. Siemens has identified affected products in their SCALANCE and RUGGEDCOM networking equipment families that incorporate the vulnerable kernel code. The vulnerability was resolved by ensuring hints are freed when canceling pending rehash work.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SCALANCE or RUGGEDCOM industrial networking infrastructure, particularly those with ACL-intensive configurations or frequent policy changes that trigger rehash operations. System administrators responsible for firmware lifecycle management in OT environments. Security teams monitoring memory exhaustion conditions in embedded Linux systems.
Technical summary
The vulnerability exists in the mlxsw (Mellanox Spectrum switch) driver's ACL TCAM rehash work implementation. The rehash delayed work uses a credit-based system to manage migration operations. Previously, non-negative credits indicated migration completion; however, after a prior fix for use-after-free conditions, this assumption became invalid as errors could also result in non-negative credits with pending rescheduling. When ACL region dismantle cancels pending rehash work, any associated hints allocated during migration initiation would leak. The fix ensures hints are properly freed when canceling work that has associated hints. The vulnerability affects Siemens industrial networking products running SINEC OS with vulnerable kernel versions, including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected SCALANCE and RUGGEDCOM products per Siemens ProductCERT guidance
- Review ACL configuration changes and maintenance windows to minimize exposure during rehash operations
- Monitor system memory utilization on affected devices for anomalous growth patterns
- Implement network segmentation for industrial control systems per CISA recommended practices
- Establish maintenance procedures to ensure timely application of kernel security updates for embedded Linux systems
Evidence notes
CVE published 2025-08-12 per official CVE record. Source CISA CSAF advisory ICSA-25-226-15 published same date. Siemens ProductCERT advisory SSA-613116 provides vendor fix details. CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N indicates network attack vector with high complexity, no privileges required, user interaction required, and no impact to confidentiality, integrity, or availability in the assessed configuration.
Official resources
-
CVE-2024-35852 CVE record
CVE.org
-
CVE-2024-35852 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12