CVE-2024-42106 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking infrastructure, particularly those using RUGGEDCOM RST2428P or SCALANCE XC/XR series switches in critical infrastructure environments. OT security teams responsible for maintaining SINEC OS deployments should prioritize patching to V3.1 or later.

Technical summary

CVE-2024-42106 is an information disclosure vulnerability in the Linux kernel's inet_diag subsystem. The struct inet_diag_req_v2 contains a pad field that was not properly initialized, potentially leaking kernel stack memory or causing undefined behavior. The vulnerability is exploitable locally with high privileges required, limiting its practical attack surface. Siemens industrial networking products running SINEC OS are affected, including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The fix ensures proper initialization of the pad field to prevent information leakage.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to SINEC OS V3.1 or later for affected Siemens RUGGEDCOM and SCALANCE products
• Review and implement CISA ICS recommended practices for industrial control system security
• Monitor Siemens ProductCERT advisories for additional security updates
• Apply defense-in-depth strategies for industrial control systems as recommended by CISA

Evidence notes

The vulnerability was resolved in the Linux kernel by initializing the pad field in struct inet_diag_req_v2. The CISA ICS advisory ICSA-25-226-15, republished on 2026-02-25 based on Siemens ProductCERT SSA-613116, identifies affected Siemens products. The advisory was initially published on 2025-08-12 and underwent multiple revisions, including corrections to affected products list and removal of rejected CVEs. The CVSS vector indicates local attack vector with high privilege requirements, limiting exploitability.

Official resources