PatchSiren cyber security CVE debrief
CVE-2024-38586 Siemens CVE debrief
A vulnerability in the r8169 Ethernet driver affects the RTL8125b network controller when transmitting small fragmented packets. The flaw occurs in `rtl8169_start_xmit()`, which fails to detect changes to `nr_frags` that can happen when small packets are padded in `rtl8169_tso_csum_v2()` to work around hardware quirks. This leads to invalid entries being inserted into the transmit ring buffer, subsequently causing `dma_unmap_single()` to be called with a null address. The vulnerability has been assessed as MEDIUM severity with a CVSS score of 4.7. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The vulnerability was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, including corrections to affected product listings and clarifications on affected configurations.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment with SINEC OS, particularly RUGGEDCOM RST2428P and SCALANCE XC/XR series switches and routers that may incorporate the Realtek RTL8125b network controller. System administrators responsible for OT/ICS network infrastructure security should prioritize vendor patch availability monitoring.
Technical summary
The r8169 Ethernet driver contains a vulnerability in transmit path handling for the RTL8125b controller. When small packets are fragmented and padded to accommodate hardware quirks, the `rtl8169_start_xmit()` function does not properly track changes to the number of fragments (`nr_frags`). This synchronization failure results in corrupted transmit ring buffer entries and null pointer dereferences in DMA unmapping operations. The vulnerability is triggered specifically during transmission of small fragmented packets processed through `rtl8169_tso_csum_v2()`.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific guidance and patch availability
- Verify if deployed Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC/XR families) uses the affected RTL8125b network controller
- Apply vendor-provided firmware updates for SINEC OS when available
- Monitor network traffic for anomalous behavior on affected devices as a detection measure
- Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
The vulnerability description is sourced from CISA ICS Advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The advisory underwent multiple revisions: initial publication (2025-08-12), correction of affected products (2026-02-12), clarification of SCALANCE family affected configurations and removal of rejected CVEs (2026-02-24), and final republication based on Siemens SSA-355557 (2026-02-25). The threat assessment in the source marks this as 'Misinformed' impact for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003.
Official resources
-
CVE-2024-38586 CVE record
CVE.org
-
CVE-2024-38586 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12