PatchSiren cyber security CVE debrief
CVE-2024-39503 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's netfilter ipset subsystem, specifically within the list:set type. The race condition occurs between namespace cleanup operations and garbage collection (gc) during RCU cleanup. When namespace cleanup destroys list:set type sets while garbage collection is waiting to run, the gc process subsequently accesses data from the already-destroyed set, resulting in use-after-free memory corruption. This vulnerability affects Siemens industrial networking products that incorporate the vulnerable Linux kernel components. The issue was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, including corrections to affected product listings and clarifications regarding specific product family configurations.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, or RUGGEDCOM RST2428P industrial networking equipment. System administrators responsible for Linux-based industrial control systems using netfilter ipset with list:set configurations. Security teams monitoring OT/ICS environments for kernel-level vulnerabilities.
Technical summary
The vulnerability exists in the Linux kernel's netfilter ipset implementation, specifically the list:set type. A race condition between namespace cleanup and garbage collection (gc) operations during RCU cleanup can cause the gc process to access freed memory. When namespace cleanup destroys list:set type sets, the pending gc operation may still reference data from the destroyed set, resulting in use-after-free. This is a memory safety issue in kernel networking code that could potentially lead to denial of service or other undefined behavior. The vulnerability affects Siemens industrial networking products that incorporate vulnerable Linux kernel versions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for affected Siemens SCALANCE and RUGGEDCOM products when available
- Monitor Siemens ProductCERT advisory SSA-355557 for updated patch availability
- Implement network segmentation to limit exposure of affected industrial control system devices
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Review and apply Linux kernel security updates for systems under organizational control that use netfilter ipset with list:set configurations
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. The use-after-free condition is specifically tied to the list:set type implementation in netfilter ipset. Advisory revision history indicates initial publication on 2025-08-12, with multiple updates through 2026-02-25 correcting product impact assessments.
Official resources
-
CVE-2024-39503 CVE record
CVE.org
-
CVE-2024-39503 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12