CVE-2024-40959 Siemens CVE debrief

Who should care

Organizations running Linux-based systems with IPv6 IPsec enabled, particularly those operating Siemens industrial networking equipment including RUGGEDCOM and SCALANCE product families. Industrial control system operators should monitor vendor guidance as the impact assessment indicates potential misidentification of affected products.

Technical summary

The vulnerability exists in the Linux kernel's xfrm6 (IPv6 IPsec transform) subsystem. The function `xfrm6_get_saddr()` calls `ip6_dst_idev()` to obtain an IPv6 destination device structure but does not check if the return value is NULL before using it. Under error conditions where `ip6_dst_idev()` returns NULL, this leads to a null pointer dereference. The fix adds a proper NULL check on the return value of `ip6_dst_idev()` before dereferencing. This is a classic defensive coding issue where a function's error return path was not properly handled.

Defensive priority

medium

Recommended defensive actions

• Review Linux kernel version and apply vendor-provided security patches that include the fix for xfrm6_get_saddr()
• Verify that IPv6 IPsec (xfrm6) configurations are properly hardened
• Monitor vendor security advisories for affected Siemens industrial networking products
• Implement network segmentation for critical industrial control systems to limit exposure
• Apply defense-in-depth strategies for industrial control system environments

Evidence notes

The vulnerability description indicates a resolved Linux kernel issue in the xfrm6 subsystem. The source advisory (ICSA-25-226-07) from CISA, based on Siemens ProductCERT SSA-355557, lists this CVE with a 'Misinformed' impact assessment for affected Siemens products, suggesting the vendor's analysis determined the vulnerability does not actually affect the listed products as initially thought. The advisory was republished on 2026-02-25 with corrections to the affected products list.

Official resources