PatchSiren cyber security CVE debrief

CVE-2024-40960 Siemens CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing subsystem, specifically within the rt6_probe() function. The flaw occurs when __in6_dev_get() returns NULL, which is not properly handled, leading to a potential kernel crash. This vulnerability was identified by syzbot, Google's kernel fuzzing infrastructure. The issue affects Siemens industrial networking products that incorporate vulnerable Linux kernel versions, including the RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. The vulnerability has a CVSS score of 5.5 (MEDIUM severity) and could result in denial of service conditions on affected systems. CISA published advisory ICSA-25-226-07 on August 12, 2025, with subsequent updates through February 25, 2026, to clarify affected product configurations and incorporate corrections from Siemens ProductCERT advisory SSA-355557.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

Organizations operating Siemens industrial networking infrastructure, including RUGGEDCOM and SCALANCE product lines, should prioritize review of this advisory. Security teams responsible for OT/ICS environments, network administrators managing IPv6-enabled industrial networks, and compliance personnel tracking CISA ICS advisories should monitor for Siemens firmware updates. Given the MEDIUM CVSS severity and kernel-level nature of the vulnerability, infrastructure operators should assess exposure of affected devices to untrusted IPv6 networks.

Technical summary

The vulnerability exists in the Linux kernel's IPv6 implementation, specifically in the rt6_probe() function used for IPv6 route probing. The function fails to validate the return value of __in6_dev_get(), which can return NULL in certain conditions. When this occurs, subsequent dereferencing leads to a kernel NULL pointer dereference, potentially causing system instability or denial of service. The flaw was discovered through automated kernel fuzzing (syzbot). Siemens industrial networking products running SINEC OS with affected kernel versions are impacted, though the advisory threat classification indicates 'Misinformed' impact for the listed product IDs, suggesting the actual exploitability or impact may differ from initial assessment. Organizations should consult the Siemens ProductCERT advisory for definitive product-specific guidance.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific impact assessment and patch availability
Verify kernel version on affected Siemens devices (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family)
Apply vendor-provided firmware updates when available per Siemens guidance
Implement network segmentation to limit exposure of industrial control system devices
Monitor for anomalous IPv6 traffic patterns that could trigger the vulnerable code path
Follow CISA ICS recommended practices for defense-in-depth strategies
Establish maintenance windows for kernel updates on critical infrastructure devices

Evidence notes

The vulnerability description indicates syzbot identified a NULL dereference in rt6_probe() when __in6_dev_get() returns NULL. The CISA CSAF advisory ICSA-25-226-07 was initially published on 2025-08-12 and subsequently modified on 2026-02-12, 2026-02-24, and 2026-02-25 to correct affected product listings and incorporate Siemens ProductCERT updates. The threat assessment in the source marks impact as 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Siemens ProductCERT advisory SSA-355557 is the authoritative source for product-specific impact and remediation guidance.

Official resources

2025-08-12