PatchSiren cyber security CVE debrief
CVE-2024-36007 Siemens CVE debrief
A vulnerability in the Linux kernel's Mellanox switch driver (mlxsw) could cause system warnings due to improper state handling during ACL TCAM rehash operations. The flaw occurs when error recovery fails to reset all migration markers, potentially causing the rehash work to resume from an invalid entry position. This can lead to a chunk structure being incorrectly processed as an entry, generating warnings. While this does not cause memory corruption (no KASAN splats), it represents a logic error in state management that could affect system stability. Siemens has confirmed this vulnerability affects certain industrial networking products running SINEC OS, which incorporates the vulnerable Linux kernel code. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector with low attack complexity, requiring low privileges but no user interaction, with high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, or RUGGEDCOM RST2428P industrial Ethernet switches in operational technology (OT) environments. System administrators responsible for Linux kernel networking drivers, particularly mlxsw implementations. Security teams managing industrial control system (ICS) infrastructure requiring high availability with minimal disruption.
Technical summary
The vulnerability exists in the mlxsw (Mellanox switch) driver's spectrum ACL TCAM rehash mechanism. During filter migration between regions, the rehash delayed work uses chunk and entry markers to track progress. When errors occur, only the chunk marker is reset to NULL without resetting the relative entry markers. This desynchronization can cause subsequent rehash work to resume from an entry that does not belong to the current chunk, eventually leading to a chunk being iterated as if it were an entry. The fix introduces a helper function to consistently reset all markers and adds warnings to prevent future occurrences. The vulnerability is local-only with no confidentiality or integrity impact, but can cause availability degradation through warning generation and potential system instability.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products per Siemens ProductCERT advisory
- Review network segmentation for industrial control systems to limit local access to affected devices
- Monitor system logs for warnings related to mlxsw spectrum ACL operations as potential indicators of trigger conditions
- Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-15, which republishes Siemens ProductCERT advisory SSA-613116. The flaw is in mlxsw: spectrum_acl_tcam rehash delayed work where chunk and entry markers are not properly synchronized on error paths. Siemens remediation guidance specifies update to V3.1 or later. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack with availability impact only.
Official resources
-
CVE-2024-36007 CVE record
CVE.org
-
CVE-2024-36007 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12