PatchSiren cyber security CVE debrief
CVE-2024-39502 Siemens CVE debrief
CVE-2024-39502 is a use-after-free vulnerability in the Linux kernel's ionic network driver, specifically affecting the NAPI (New API) polling mechanism. The flaw occurs when `ionic_qcq_enable()` incorrectly enables NAPI for queues that were previously unregistered via `netif_napi_del()`, because the `.poll` pointer is not reset to NULL upon deletion. This can lead to calling `napi_enable()` on an unregistered queue, potentially causing system instability or denial of service conditions. The vulnerability has a CVSS score of 5.5 (MEDIUM) and was published on August 12, 2025. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE X-family switches. CISA and Siemens have coordinated on this advisory, with the most recent update on February 25, 2026, reflecting republication based on Siemens ProductCERT guidance. No known exploitation in the wild has been reported, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE X-family switches in critical infrastructure environments. System administrators responsible for Linux-based industrial control systems using ionic-compatible network hardware. Security teams monitoring OT/ICS environments for kernel-level vulnerabilities that could impact network availability.
Technical summary
The ionic network driver in the Linux kernel contains a use-after-free condition in its queue configuration management. When network queues are started, `netif_napi_add()` and `napi_enable()` are called for active queues. The `ionic_qcq_enable()` function uses the `.poll` pointer to determine which queues should have NAPI enabled, expecting NULL for unused queues. However, when `netif_napi_del()` unregisters a queue's NAPI, it does not reset the `.poll` pointer to NULL. Consequently, `ionic_qcq_enable()` cannot distinguish between never-registered queues and previously-registered-then-deleted queues, leading to `napi_enable()` being called on unregistered NAPI structures. This improper state management can result in memory corruption or system crashes.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for affected Siemens SCALANCE and RUGGEDCOM products when available
- Monitor Siemens ProductCERT security advisories for patch availability
- Implement network segmentation for industrial control systems to limit exposure
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Review and update incident response procedures for industrial network infrastructure
Evidence notes
Vulnerability description derived from CISA CSAF advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. The technical root cause involves improper state tracking in the ionic driver's NAPI lifecycle management. Affected products confirmed through Siemens CSAF product tree with high confidence. Timeline reflects CISA republication on 2026-02-25 based on Siemens advisory updates.
Official resources
-
CVE-2024-39502 CVE record
CVE.org
-
CVE-2024-39502 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12