PatchSiren cyber security CVE debrief
CVE-2024-36883 Siemens CVE debrief
This CVE addresses a race condition in the Linux kernel's networking subsystem that could lead to out-of-bounds memory access. The vulnerability exists in the `net_alloc_generic` function, which is called by `net_alloc` without proper locking. The function reads `max_gen_ptrs` twice—once to allocate an array and again to set `s.len`—creating a window where a concurrent thread registering new pernet operations could increment `max_gen_ptrs` between these reads. This results in `s.len` being set larger than the allocated array size, enabling subsequent out-of-bounds access. The fix ensures `max_gen_ptrs` is read only once in `net_alloc_generic`, with any later increments caught by `net_assign_generic`. Siemens has identified this vulnerability as affecting SINEC OS and related industrial networking products, with remediation available through updates to version 3.1 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment running SINEC OS, particularly SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and RUGGEDCOM RST2428P switches. System administrators responsible for Linux kernel networking stacks in multi-threaded environments. Industrial control system security teams managing firmware update lifecycles.
Technical summary
The vulnerability is a time-of-check-time-of-use (TOCTOU) race condition in Linux kernel networking code. The `net_alloc_generic` function performs two unsynchronized reads of `max_gen_ptrs`: first for array allocation, then for setting `s.len`. A concurrent `register_pernet_subsys` or similar operation can increment `max_gen_ptrs` between these reads via `pernet_ops_rwsem`, causing the allocated array to be smaller than the bounds check permits. The kernel fix reads `max_gen_ptrs` once atomically relative to the allocation, with `net_assign_generic` providing secondary bounds validation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS version 3.1 or later for affected Siemens industrial networking products
- Review network segmentation for industrial control systems to limit exposure of affected devices
- Monitor Siemens ProductCERT advisories for additional affected product notifications
- Implement defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
The vulnerability description is derived from the Linux kernel commit message and Siemens ProductCERT advisory SSA-613116, as republished by CISA in ICSA-25-226-15. The race condition affects kernel networking initialization code. Siemens remediation guidance specifies update to V3.1 or later. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N indicates network attack vector with high attack complexity, no confidentiality or integrity impact, and no availability impact scored—resulting in a NONE severity rating.
Official resources
-
CVE-2024-36883 CVE record
CVE.org
-
CVE-2024-36883 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12