PatchSiren cyber security CVE debrief
CVE-2024-36959 Siemens CVE debrief
CVE-2024-36959 is a reference count leak vulnerability in the Linux kernel's pinctrl subsystem, specifically within the pinctrl_dt_to_map() function in the devicetree handling code. The flaw occurs when memory allocation for a property name buffer fails after a reference count has been incremented; without proper cleanup, this leads to a resource leak. The vulnerability has been resolved in the upstream Linux kernel by invoking pinctrl_dt_free_maps() to properly decrement the reference count when allocation fails. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector requirements with low attack complexity, requiring low privileges but no user interaction, resulting in high availability impact. CISA published this advisory on August 12, 2025, with subsequent updates through February 25, 2026, including corrections to affected product listings and removal of rejected CVEs. Organizations should apply vendor-provided updates to SINEC OS V3.1 or later to remediate this vulnerability.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices in industrial control system environments. System administrators responsible for maintaining SINEC OS-based devices should prioritize patching to prevent potential availability impacts from resource exhaustion.
Technical summary
The vulnerability exists in the pinctrl_dt_to_map() function within the Linux kernel's pinctrl devicetree subsystem. When processing device tree pin control mappings, the function increments a reference count before attempting to allocate a buffer for the property name. If this allocation fails, the previously incremented reference count is not decremented, resulting in a reference count leak. The fix invokes pinctrl_dt_free_maps() to properly release resources when allocation fails. This is classified as CWE-668: Exposure of Resource to Wrong Sphere. The vulnerability requires local access with low privileges to trigger, with exploitation resulting in denial of service through resource exhaustion.
Defensive priority
medium
Recommended defensive actions
- Apply vendor fix: Update affected Siemens devices to SINEC OS V3.1 or later version
- Verify current SINEC OS version on RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
- Monitor Siemens ProductCERT security advisories for additional updates to SSA-613116
Evidence notes
Vulnerability description and remediation guidance derived from CISA CSAF advisory ICSA-25-226-15 and Siemens ProductCERT advisory SSA-613116. CVSS vector confirms local attack vector with availability impact. Patch resolution confirmed in upstream Linux kernel pinctrl subsystem.
Official resources
-
CVE-2024-36959 CVE record
CVE.org
-
CVE-2024-36959 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12