PatchSiren cyber security CVE debrief
CVE-2024-36940 Siemens CVE debrief
A double-free vulnerability exists in the Linux kernel's pinctrl subsystem. The `pctldev` structure is allocated via `devm_pinctrl_register_and_init()` as a managed resource, meaning it is automatically freed by `devm_pinctrl_dev_release()`. However, `pinctrl_enable()` incorrectly frees this same structure, causing a double-free condition. This flaw can lead to kernel memory corruption and system instability. The vulnerability was resolved by removing the erroneous free operation in `pinctrl_enable()`.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those deploying SCALANCE XC/XR series switches or RUGGEDCOM RST2428P devices in critical infrastructure environments. System administrators responsible for maintaining firmware versions and security posture of OT/ICS networks should prioritize this update.
Technical summary
The vulnerability stems from improper resource management in the Linux kernel's pin control (pinctrl) subsystem. The `pctldev` structure is allocated as a device-managed resource using `devm_pinctrl_register_and_init()`, which registers a release callback (`devm_pinctrl_dev_release()`) to automatically free the structure when the device is unbound. However, `pinctrl_enable()` contained an explicit `kfree()` call on this same structure, resulting in a double-free when the device is later released. The `devm_pinctrl_dev_release()` function also handles freeing of `pindescs` and mutex destruction, meaning the erroneous free in `pinctrl_enable()` could occur while these dependent resources are still in use, potentially causing use-after-free conditions. The fix removes the incorrect free operation, allowing proper managed resource cleanup.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to version 3.1 or later for affected SCALANCE and RUGGEDCOM devices
- Review device inventory to identify systems running SINEC OS versions prior to 3.1
- Implement network segmentation for industrial control systems to limit local access
- Monitor for anomalous system behavior or unexpected reboots on affected devices
- Follow CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The issue affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low attack complexity, requiring low privileges and resulting in high availability impact.
Official resources
-
CVE-2024-36940 CVE record
CVE.org
-
CVE-2024-36940 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12