PatchSiren cyber security CVE debrief
CVE-2024-38587 Siemens CVE debrief
A vulnerability in the Linux kernel's speakup accessibility subsystem could allow out-of-bounds access due to a coding error where sizeof() was used instead of ARRAY_SIZE() on a u16 array. The bug causes the code to use 512 (byte size) rather than 256 (element count) as the bounds check, potentially permitting access beyond the allocated buffer. This affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE X-family switches. The vulnerability has a network attack vector with low attack complexity, requiring no privileges or user interaction, and can result in limited availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, and RUGGEDCOM RST2428P switches. OT security teams managing SINEC OS deployments should prioritize patching. Linux kernel maintainers and accessibility subsystem developers should review similar patterns in speakup code. Industrial control system operators following CISA ICS advisories should incorporate this into vulnerability management programs.
Technical summary
The vulnerability exists in the Linux kernel's speakup screen reader subsystem, specifically in code handling a u16 array buffer. The developer incorrectly used sizeof(buf) which returns 512 bytes (256 u16 elements × 2 bytes each) instead of ARRAY_SIZE(buf) which returns 256 elements. This causes bounds checks to allow access up to index 511 instead of the correct maximum index 255, enabling out-of-bounds memory access. The flaw is classified as CWE-129 (Improper Validation of Array Index). While the base vulnerability is in upstream Linux kernel code, the exposure surface in Siemens products depends on whether the speakup subsystem is enabled and accessible in the SINEC OS environment. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network accessibility but limited availability impact only.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected SCALANCE and RUGGEDCOM products
- Review network segmentation for affected industrial switches to limit exposure
- Monitor for anomalous accessibility subsystem activity on Linux-based industrial systems
- Consult Siemens ProductCERT advisory SSA-613116 for detailed product-specific guidance
- Follow CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
The vulnerability description indicates a classic sizeof() versus ARRAY_SIZE() confusion in kernel code. The buf pointer is declared as an array of u16 values, where ARRAY_SIZE() would return 256 elements but sizeof() returns 512 bytes. This mismatch allows potential out-of-bounds access. The CVSS vector confirms network accessibility with no authentication required. Siemens ProductCERT advisory SSA-613116 provides vendor confirmation and remediation guidance. CISA advisory ICSA-25-226-15 republishes this information for industrial control system operators.
Official resources
-
CVE-2024-38587 CVE record
CVE.org
-
CVE-2024-38587 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12