PatchSiren cyber security CVE debrief
CVE-2024-41091 Siemens CVE debrief
CVE-2024-41091 is a HIGH severity vulnerability (CVSS 7.1) in the Linux kernel's TUN/TAP driver, specifically within the `tun_xdp_one()` path. The flaw involves missing validation of frame length, which can result in corrupted socket buffers (skb) being passed down the network stack. When `eth_type_trans()` processes these malformed frames, it may access Ethernet header data that is shorter than the minimum `ETH_HLEN` (14 bytes), leading to out-of-bounds memory access or inconsistent skb metadata that confuses underlying network layers. This vulnerability was published on 2025-08-12 and most recently modified on 2026-02-25. The issue affects Siemens industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. CISA issued advisory ICSA-25-226-07 covering this vulnerability, with subsequent updates in February 2026 correcting affected product listings and clarifying configuration details. Siemens has published security advisory SSA-355557 with remediation guidance. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been documented.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Network administrators managing Siemens industrial Ethernet switches and routers; OT security teams responsible for SCALANCE XC/XR-series and RUGGEDCOM infrastructure; Linux kernel maintainers for embedded industrial systems; organizations with XDP-enabled network virtualization workloads on affected platforms
Technical summary
The vulnerability exists in the `tun_xdp_one()` function of the Linux kernel's TUN driver, which handles packets in the XDP (eXpress Data Path) fast path. The function fails to validate that received frames meet the minimum Ethernet header length (`ETH_HLEN`, 14 bytes) before processing. When `eth_type_trans()` is subsequently called to determine the packet protocol type, it may read beyond the actual buffer boundary if the frame is shorter than expected. This results in two potential failure modes: (1) out-of-bounds memory access causing kernel instability or information disclosure, and (2) corruption of skb metadata fields (specifically network header offsets) that propagate incorrect length information to downstream network stack components. The corrupted skb may then be transmitted, causing further processing errors in underlying network layers. This is classified as CWE-20 (Improper Input Validation).
Defensive priority
HIGH
Recommended defensive actions
- Apply security updates from Siemens ProductCERT advisory SSA-355557 when available
- Review network segmentation for affected SCALANCE and RUGGEDCOM devices
- Monitor for anomalous network behavior indicative of skb corruption
- Implement defense-in-depth strategies per CISA ICS recommended practices
- Validate minimum frame size enforcement at network boundaries
Evidence notes
Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. CVSS score and severity from official CVE record. Timeline derived from source revision history showing initial publication 2025-08-12, with updates on 2026-02-12, 2026-02-24, and final republication 2026-02-25.
Official resources
-
CVE-2024-41091 CVE record
CVE.org
-
CVE-2024-41091 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12