PatchSiren cyber security CVE debrief
CVE-2024-36978 Siemens CVE debrief
CVE-2024-36978 is a medium-severity (CVSS 6.1) out-of-bounds write vulnerability in the Linux kernel's network traffic scheduler, specifically within the sch_multiq module's multiq_tune() function. The flaw occurs when the q->bands value is incorrectly used during a kmalloc allocation before being reassigned to qopt->bands, potentially allowing an attacker with local access to trigger memory corruption. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. According to CISA's ICS advisory ICSA-25-226-07, this CVE affects Siemens industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The advisory was republished on 2026-02-25 based on Siemens ProductCERT SSA-355557. Notably, the threat assessment for this CVE is marked as 'Misinformed' in the source data, suggesting potential clarification or correction in the advisory's revision history. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been documented. Organizations should consult the Siemens ProductCERT advisory for specific patch availability and apply kernel updates as they become available for affected industrial control systems.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, network administrators managing Siemens SCALANCE and RUGGEDCOM devices, and organizations with critical infrastructure relying on SINEC OS-based networking equipment
Technical summary
The vulnerability exists in the multiq_tune() function within net/sched/sch_multiq.c in the Linux kernel. When reconfiguring a multi-queue scheduler, the code performs a kmalloc allocation using the stale q->bands value before assigning qopt->bands to q->bands. This sequence error can result in an out-of-bounds write if the new band count differs from the previously configured value. The flaw requires local privileges to modify network scheduler configuration. Affected Siemens products incorporate vulnerable Linux kernel versions in their SINEC OS firmware for industrial Ethernet switches and routers.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT Security Advisory SSA-355557 for detailed affected product configurations and patch availability
- Apply kernel security updates for SINEC OS-based devices when provided by Siemens
- Monitor network traffic scheduler configurations on affected industrial control systems
- Implement network segmentation for critical industrial control system components
- Follow CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
Vulnerability description and affected products sourced from CISA CSAF advisory ICSA-25-226-07. CVSS score and severity from provided source data. Threat category 'Misinformed' explicitly noted in source threats array. Revision history confirms 2026-02-25 republication based on Siemens SSA-355557.
Official resources
-
CVE-2024-36978 CVE record
CVE.org
-
CVE-2024-36978 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12