PatchSiren cyber security CVE debrief
CVE-2024-39495 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel greybus subsystem, specifically in the gb_interface_release function, due to a race condition. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens ProductCERT issued advisory SSA-355557 addressing third-party components in SINEC OS, which CISA subsequently republished as ICSA-25-226-07. The advisory was revised multiple times, with the most recent update on 2026-02-25 clarifying affected configurations for the SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and removing several rejected CVEs from earlier versions. The vulnerability affects Siemens industrial networking products running SINEC OS that incorporate the vulnerable greybus kernel module. The CVSS v3.1 score of 5.5 (MEDIUM) indicates moderate severity with local attack vector requirements. The use-after-free condition in gb_interface_release could potentially lead to memory corruption, though the specific impact depends on the race condition window and subsequent memory access patterns.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure with SINEC OS, particularly those deploying RUGGEDCOM RST2428P or SCALANCE XC/XR/XCM/XRM/XCH/XRH series switches. OT security teams responsible for patch management in manufacturing, energy, transportation, and critical infrastructure sectors using Siemens networking equipment.
Technical summary
The vulnerability exists in the greybus kernel subsystem's gb_interface_release function, where a race condition can lead to use-after-free memory access. Greybus (Grey Bus) is a subsystem originally developed for Google's Project Ara modular smartphone, now present in the mainline Linux kernel. The race condition occurs during interface release operations, potentially allowing memory corruption if an attacker can trigger the specific timing window. The vulnerability requires local access to exploit, consistent with the MEDIUM CVSS severity rating. Siemens industrial networking products incorporating this kernel module in SINEC OS are affected, including RUGGEDCOM RST2428P and SCALANCE X-family switches under specific configurations.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific guidance and patch availability
- Verify SINEC OS version and greybus module status on affected Siemens industrial networking equipment
- Apply vendor-provided firmware updates when available per Siemens ProductCERT recommendations
- Implement network segmentation for industrial control systems to limit potential attack surface
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Monitor CISA ICS advisories for updates to ICSA-25-226-07
Evidence notes
Primary source is CISA CSAF advisory ICSA-25-226-07, republished from Siemens ProductCERT SSA-355557. Advisory revision history shows four updates: initial publication (2025-08-12), corrected product lists (2026-02-12), clarified affected configurations and removed rejected CVEs (2026-02-24), and final CISA republication update (2026-02-25). The threat category in source data is marked as 'Misinformed' for affected products CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003.
Official resources
-
CVE-2024-39495 CVE record
CVE.org
-
CVE-2024-39495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12