PatchSiren cyber security CVE debrief
CVE-2024-36929 Siemens CVE debrief
CVE-2024-36929 is a medium-severity vulnerability in the Linux kernel's networking stack affecting SKB_GSO_FRAGLIST socket buffers. The issue stems from improper handling of fraglist GSO skbs in skb_copy() and skb_copy_expand() functions, which can linearize these buffers and render them invalid. This invalidation may subsequently trigger a crash when skb_gso_segment() is called on the corrupted buffer. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM) with a local attack vector, low attack complexity, and low privileges required, resulting in high availability impact. Siemens has identified this vulnerability as affecting multiple industrial networking products including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices running SINEC OS. The vulnerability was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, including corrections to affected product listings and removal of rejected CVEs. A vendor fix is available requiring update to SINEC OS V3.1 or later versions.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure including SCALANCE XC/XR series switches and RUGGEDCOM RST2428P devices, particularly those in critical infrastructure sectors where high availability requirements intersect with local access scenarios. System administrators maintaining SINEC OS deployments should prioritize patching to V3.1 or later. Security teams assessing Linux kernel networking vulnerabilities in embedded industrial systems should evaluate exposure through local attack vectors.
Technical summary
The vulnerability exists in the Linux kernel's net/core subsystem where skb_copy() and skb_copy_expand() functions fail to validate SKB_GSO_FRAGLIST socket buffers before processing. These fraglist GSO skbs must not be linearized as this operation invalidates their structure. When linearization occurs, subsequent calls to skb_gso_segment() operate on corrupted buffer state, potentially causing kernel crashes. The fix implements NULL return values when fraglist GSO skbs are detected, preventing the invalid linearization operation. This represents a defensive programming pattern to ensure API contract enforcement for GSO buffer handling.
Defensive priority
medium
Recommended defensive actions
- Update affected Siemens SINEC OS devices to V3.1 or later version per vendor guidance
- Review network segmentation for affected industrial control systems to limit local attack vector exposure
- Monitor for kernel crashes or network stack anomalies on affected SCALANCE and RUGGEDCOM devices
- Apply defense-in-depth practices for industrial control systems as recommended by CISA
- Verify patch deployment through Siemens support portal for product-specific guidance
Evidence notes
Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. CVSS vector confirms local attack vector with availability impact. Advisory revision history shows multiple updates through February 2026 correcting product scope and removing rejected CVEs.
Official resources
-
CVE-2024-36929 CVE record
CVE.org
-
CVE-2024-36929 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12