PatchSiren cyber security CVE debrief
CVE-2024-42094 Siemens CVE debrief
CVE-2024-42094 describes a potential stack overflow condition in the Linux kernel's net/iucv subsystem. The vulnerability stems from explicit allocation of cpumask variables on the stack when the kernel is compiled with CONFIG_CPUMASK_OFFSTACK=y. This configuration-dependent weakness could allow local attackers to trigger stack overflow conditions, potentially leading to denial of service or other undefined behavior. The vulnerability was originally published on 2025-08-12 and last modified on 2026-02-25. Siemens has assessed this CVE as 'Misinformed' for affected products, indicating the vulnerability does not actually impact the listed product configurations as initially reported. The CVSS score of 7.1 (HIGH) reflects the theoretical severity of stack overflow conditions in kernel space, though the practical impact on Siemens products appears limited based on their threat assessment.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Linux-based industrial control systems, particularly those using Siemens SCALANCE or RUGGEDCOM networking equipment. System administrators managing s390/z Systems environments where IUCV is utilized. Security teams responsible for kernel configuration management in high-availability industrial networks. Compliance officers tracking CVE coverage for OT/ICS environments.
Technical summary
The vulnerability exists in the Linux kernel's Inter-User Communication Vehicle (IUCV) networking subsystem, specifically in how cpumask variables are allocated. When CONFIG_CPUMASK_OFFSTACK=y is set during kernel compilation, cpumask variables that would normally be allocated dynamically are instead placed on the stack. For large CPU count systems, these cpumask structures can consume significant stack space, potentially causing stack overflow. IUCV is primarily used in IBM System z (s390) environments for high-speed communication between virtual machines. The explicit stack allocation bypasses the intended dynamic allocation mechanism, creating a local denial of service vector. Siemens has determined this vulnerability is 'Misinformed' for their affected product lines, suggesting either the vulnerable code path is not present, the configuration is not used, or the initial assessment was incorrect.
Defensive priority
medium
Recommended defensive actions
- Verify kernel configuration on Linux-based systems to determine if CONFIG_CPUMASK_OFFSTACK=y is enabled
- Apply vendor-provided kernel updates for affected Siemens industrial networking products when available
- Monitor Siemens ProductCERT advisory SSA-355557 for updated product-specific guidance
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
- Assess exposure of IUCV (Inter-User Communication Vehicle) interfaces in s390/z Systems environments where this subsystem is primarily used
Evidence notes
CVE published 2025-08-12; modified 2026-02-25. Siemens threat assessment categorizes impact as 'Misinformed' for affected products. Source advisory ICSA-25-226-07 underwent multiple revisions, with the 2026-02-25 update reflecting republication based on Siemens ProductCERT SSA-355557 advisory.
Official resources
-
CVE-2024-42094 CVE record
CVE.org
-
CVE-2024-42094 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12