CVE-2024-36901 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE X-family industrial Ethernet switches running SINEC OS should monitor this advisory. Network administrators responsible for IPv6-enabled industrial networks and security teams managing OT/ICS environments with Linux-based embedded systems should track vendor patch availability.

Technical summary

The vulnerability exists in the Linux kernel's IPv6 output path where ip6_dst_idev() may return NULL, leading to a NULL pointer dereference in ip6_output(). This is a classic defensive programming issue where a return value is not validated before use. The syzbot kernel fuzzer identified this code path as potentially exploitable. While the CVSS score of 5.5 indicates medium severity, the impact on industrial control systems may be elevated due to availability requirements. The advisory marks this CVE with 'Misinformed' impact status, suggesting potential discrepancies in initial severity assessment or affected product identification.

Defensive priority

medium

Recommended defensive actions

• Review Siemens ProductCERT advisory SSA-355557 for definitive affected product and patch information
• Verify SINEC OS version and installed kernel packages on affected Siemens industrial networking equipment
• Apply vendor-provided firmware updates when available per Siemens ProductCERT guidance
• Monitor CISA ICS advisories for updates to ICSA-25-226-07
• Implement network segmentation for industrial control systems per CISA recommended practices

Evidence notes

The source advisory (ICSA-25-226-07) indicates this CVE was initially included in a broader Siemens third-party components advisory but was subsequently marked as 'Misinformed' impact in the threats section. The February 2026 updates to the advisory removed multiple rejected CVEs and clarified affected product configurations, suggesting ongoing refinement of the vulnerability scope assessment.

Official resources