PatchSiren cyber security CVE debrief
CVE-2024-36904 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's TCP implementation within the tcp_twsk_unique() function. The flaw stems from improper reference counting when handling TCP TIME_WAIT sockets, potentially allowing a local attacker to trigger a denial of service condition. The vulnerability was resolved by replacing the reference count increment with refcount_inc_not_zero() to safely handle cases where the reference count may have already reached zero.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches running SINEC OS versions prior to 3.1. System administrators maintaining Linux-based industrial control systems and network infrastructure should prioritize patching. Security teams responsible for OT/ICS environments should assess exposure and implement compensating controls where patching is not immediately feasible.
Technical summary
The vulnerability exists in the Linux kernel's TCP stack, specifically in the tcp_twsk_unique() function which handles TIME_WAIT socket state uniqueness checks. The original implementation used a reference count increment without checking if the count had already reached zero, creating a race condition window where a socket could be freed while still being referenced. The fix replaces the unsafe increment with refcount_inc_not_zero(), which atomically checks for zero before incrementing and returns failure if the object is already being destroyed. This prevents the use-after-free scenario that could lead to kernel crashes and denial of service. The CVSS score of 5.5 (MEDIUM) reflects the local attack vector and high availability impact with no confidentiality or integrity impact.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products
- Review Linux kernel version on affected systems and apply upstream kernel patches if running custom builds
- Monitor for anomalous TCP connection behavior or unexpected system crashes on affected industrial network devices
- Implement network segmentation for industrial control systems to limit exposure of vulnerable devices
- Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
The vulnerability description indicates a resolved Linux kernel TCP implementation flaw involving refcount handling in tcp_twsk_unique(). The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms local attack vector with low attack complexity, low privileges required, and high availability impact. CISA CSAF advisory ICSA-25-226-15 identifies affected Siemens industrial products running SINEC OS. Siemens ProductCERT advisory SSA-613116 provides vendor fix information. The advisory revision history shows multiple updates through February 2026, with the most recent republication on 2026-02-25 incorporating corrections from Siemens.
Official resources
-
CVE-2024-36904 CVE record
CVE.org
-
CVE-2024-36904 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12