CVE-2024-46674 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P industrial routers or SINEC OS-based SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 industrial Ethernet switches. System administrators responsible for industrial network infrastructure security, OT security teams managing critical infrastructure environments, and vulnerability management programs tracking Linux kernel vulnerabilities in embedded industrial systems.

Technical summary

The vulnerability exists in the st_dwc3_probe() function of drivers/usb/dwc3/dwc3-st.c in the Linux kernel. The probe function's error handling path includes a label 'undo_platform_dev_alloc' that calls put_device() on the platform device pointer. However, the probe function never allocates this platform device—it receives it as a parameter. When error conditions trigger this path, the reference count is decremented without a corresponding increment, causing premature device release. Subsequent cleanup of devm-managed resources may then access freed memory. The CVSS 3.1 score of 5.5 reflects local exploitation requirements with high availability impact but no confidentiality or integrity impact. Affected Siemens products incorporate this vulnerable kernel component in their SINEC OS firmware.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE switch families as specified in Siemens security advisory SSA-355557
• Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
• Monitor Siemens ProductCERT and CISA ICS advisories for additional affected product announcements or remediation updates
• Implement network segmentation to limit exposure of affected industrial networking equipment to untrusted local access
• Apply principle of least privilege for administrative access to affected device management interfaces

Evidence notes

The vulnerability description indicates this is a kernel driver bug in the USB DWC3 ST platform driver where an erroneous error path label 'undo_platform_dev_alloc' performs a put_device() operation on the platform device being probed, despite the probe function never having performed a platform device allocation. This creates a reference count imbalance. The CVSS vector confirms local attack requirements with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Siemens remediation guidance specifies firmware update to V3.2 or later for affected RUGGEDCOM and SCALANCE products. The CISA advisory underwent three revision cycles: initial publication (2025-08-12), product list correction (2026-02-12), family configuration clarification and rejected CVE removal (2026-02-24), and final republication with Siemens advisory alignment (2026-02-25).

Official resources