PatchSiren cyber security CVE debrief
CVE-2024-36954 Siemens CVE debrief
A memory leak vulnerability exists in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol implementation, specifically within the `tipc_buf_append` function. The issue arises because `__skb_linearize()` does not free the socket buffer (skb) when it fails, and the original code set `*buf = NULL` before calling this function. This sequence prevented proper deallocation of the skb on error paths, leading to a memory leak. The fix reorders operations to set `*buf = NULL` after `__skb_linearize()`, ensuring the skb can be freed if linearization fails. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, with a vendor fix available in version 3.1 or later. The CVSS 3.1 vector indicates network attack vector with high attack complexity, requiring no privileges but user interaction, with no impact to confidentiality, integrity, or availability—suggesting the vulnerability may be difficult to exploit in practice or the scoring reflects specific deployment constraints.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches running SINEC OS versions prior to 3.1. Security teams in manufacturing, energy, transportation, and critical infrastructure sectors using TIPC protocol for inter-process communication in distributed control systems should assess exposure.
Technical summary
The vulnerability exists in `tipc_buf_append()` within the Linux kernel's TIPC (Transparent Inter-Process Communication) networking subsystem. The function handles socket buffer (skb) appending operations for TIPC message fragmentation and reassembly. The defect involves improper resource management: when `__skb_linearize()` fails to consolidate fragmented skb data, the function previously set `*buf = NULL` before the linearization attempt, which prevented the error handling path from properly freeing the original skb. The resolution moves the null assignment to occur after `__skb_linearize()`, preserving the buffer pointer for cleanup on failure paths. This is a classic memory leak pattern in kernel network stack code where error handling order determines resource lifecycle.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided update to SINEC OS V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products per Siemens ProductCERT advisory
- Review network segmentation for TIPC protocol exposure in industrial control environments
- Monitor for anomalous memory consumption patterns on affected systems as potential indicator of exploitation attempts
- Follow CISA ICS recommended practices for defense-in-depth strategies in industrial control systems
Evidence notes
Vulnerability description derived from Linux kernel commit message indicating memory leak in TIPC protocol skb handling. Siemens ProductCERT advisory SSA-613116 and CISA ICS advisory ICSA-25-226-15 confirm affected products and remediation. CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N from source indicates network-accessible but high-complexity attack with no direct availability impact scored.
Official resources
-
CVE-2024-36954 CVE record
CVE.org
-
CVE-2024-36954 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12