PatchSiren cyber security CVE debrief
CVE-2024-35854 Siemens CVE debrief
A use-after-free vulnerability in the Linux kernel's Mellanox Spectrum switch driver (mlxsw) could allow local attackers to cause memory corruption. The flaw occurs in the ACL TCAM rehash mechanism where a region containing active filters may be prematurely destroyed following a failed migration, leading to slab-use-after-free conditions when subsequent operations reference the freed memory. The vulnerability stems from incorrect logic that assumes non-negative credit counts indicate successful migration completion, when such values can also result from migration failures. Siemens has confirmed this affects SINEC OS-based products including RUGGEDCOM RST2428P and SCALANCE switch families. CISA published advisory ICSA-25-226-15 on 2025-08-12 with subsequent updates through 2026-02-25.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SINEC OS-based industrial network infrastructure including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 families; OT security teams managing ACL configurations on Mellanox Spectrum-based switches; kernel maintainers backporting mlxsw fixes
Technical summary
The vulnerability exists in the mlxsw (Mellanox switch) driver's spectrum_acl_tcam rehash workqueue handler. During ACL region migration, the rehash delayed work moves filters between regions based on available credits. The code incorrectly destroys the source region when credits are non-negative, assuming migration completed successfully. However, non-negative credits can also indicate migration failure, leaving active filter references to freed memory. The KASAN report shows the use-after-free occurs in mlxsw_sp_acl_ctcam_region_entry_remove when processing a workqueue item, with the freed object originally allocated by mlxsw_sp_acl_tcam_region_create and freed by mlxsw_sp_acl_tcam_region_destroy during the same rehash work execution. The fix prevents region destruction when migration fails.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected Siemens SINEC OS products per Siemens ProductCERT guidance
- Review and implement CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
- Monitor for kernel crash logs or KASAN reports indicating use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove or related functions
- Validate ACL configuration changes do not trigger rehash operations during maintenance windows until patches are applied
- Segment management interfaces for affected switch families to limit local attack vector exposure
Evidence notes
CVE published 2025-08-12; modified 2026-02-25. Source CISA CSAF advisory ICSA-25-226-15 with revision history showing four updates, most recent 2026-02-25. Siemens ProductCERT SSA-613116 referenced as basis for republication. CVSS 8.8 HIGH per source. CWE-416 (Use After Free) identified. Affected product confirmed: RUGGEDCOM RST2428P (6GK6242-6PA00). Vendor fix available: update to V3.1 or later.
Official resources
-
CVE-2024-35854 CVE record
CVE.org
-
CVE-2024-35854 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12