CVE-2024-35855 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial network infrastructure including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches running SINEC OS versions prior to V3.1. Critical infrastructure operators and manufacturing environments using these devices for industrial network segmentation should prioritize patching.

Technical summary

The vulnerability exists in the mlxsw (Mellanox switch) driver's spectrum_acl_tcam module. Two delayed work items—rule activity update and rehash—can race when accessing ventry->entry. The activity update work reads the entry pointer while the rehash work may free and reallocate it, causing use-after-free. The fix adds proper locking (vregion->lock) around the activity query to serialize access. The crash manifests as a KASAN slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get during workqueue execution on affected kernels.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates to V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products
• Verify SINEC OS version on affected industrial network devices and upgrade if below V3.1
• Monitor vendor security advisories for additional affected product families
• Implement network segmentation for industrial control systems per CISA recommended practices
• Review and apply defense-in-depth strategies for ICS environments

Evidence notes

The vulnerability is documented in CISA ICS advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The issue affects Siemens industrial networking products running SINEC OS that incorporate the vulnerable Linux kernel mlxsw driver. The KASAN slab-use-after-free report shows the crash occurring in mlxsw_sp_acl_tcam_flower_rule_activity_get during workqueue processing.

Official resources