PatchSiren cyber security CVE debrief
CVE-2024-36902 Siemens CVE debrief
CVE-2024-36902 is a NULL pointer dereference vulnerability in the Linux kernel's IPv6 fib6_rules subsystem. The flaw exists in fib6_rule_action() where ip6_dst_idev() can return NULL but is used without validation, leading to a kernel crash. This vulnerability was discovered by syzbot and affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE X-family switches. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM) with local attack vector, low attack complexity, and low privileges required, resulting in high availability impact. Siemens has released updates to address this issue, with remediation available in SINEC OS V3.1 or later. CISA published advisory ICSA-25-226-15 on August 12, 2025, with subsequent updates through February 2026 to correct affected product listings and incorporate the latest Siemens ProductCERT guidance.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. Critical infrastructure operators, manufacturing facilities, and utility providers using SINEC OS-based industrial Ethernet switches should prioritize patching. Security teams responsible for OT/ICS environments and network administrators managing IPv6-enabled industrial networks need to assess exposure and apply updates.
Technical summary
The vulnerability resides in the Linux kernel's IPv6 routing subsystem, specifically in fib6_rule_action() within net/ipv6/fib6_rules.c. The function ip6_dst_idev() retrieves the IPv6 destination device structure but can legitimately return NULL in certain conditions. The code path fails to validate this return value before dereferencing, resulting in a NULL pointer dereference and kernel oops/panic. This is a local vulnerability requiring low privileges, making it exploitable by authenticated users or processes with limited capabilities. The crash affects system availability but does not provide confidentiality or integrity compromise. The syzbot kernel fuzzer successfully triggered this crash, demonstrating the vulnerability is reachable through system calls.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected SCALANCE and RUGGEDCOM devices
- Verify device firmware versions against Siemens ProductCERT advisory SSA-613116
- Implement network segmentation for industrial control systems per CISA ICS recommended practices
- Monitor for anomalous IPv6 traffic patterns that could trigger the vulnerable code path
- Review defense-in-depth strategies for industrial control environments
- Ensure security updates are tested in non-production environments before deployment to critical infrastructure
Evidence notes
Vulnerability identified in Linux kernel IPv6 fib6_rules subsystem through syzbot automated testing. The unsafe use of ip6_dst_idev() without NULL checking causes kernel crashes. Siemens ProductCERT SSA-613116 provides vendor remediation guidance. CISA advisory ICSA-25-226-15 underwent multiple revisions: initial publication (2025-08-12), correction of affected products (2026-02-12), removal of unsupported version notes and rejected CVEs (2026-02-24), and final republication with updated Siemens guidance (2026-02-25).
Official resources
-
CVE-2024-36902 CVE record
CVE.org
-
CVE-2024-36902 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12