CVE-2024-46832 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family switches with SINEC OS should monitor vendor guidance, though vendor assessment indicates low operational risk.

Technical summary

The vulnerability exists in the MIPS cevt-r4k (R4000-class) clock event driver where get_c0_compare_int() is called during timer IRQ installation on secondary CPUs. This call occurs in an invalid context that can trigger a BUG warning for sleeping functions (specifically mutex operations at kernel/locking/mutex.c:283). The fix avoids calling get_c0_compare_int when the timer IRQ is already installed and removes unnecessary IRQ number storage in struct clock_event_device, which per kernel comments is only intended for non-CPU-local devices. Siemens has determined this vulnerability's impact is 'Misinformed' for affected products, suggesting the original CVE assessment does not accurately characterize risk to their industrial networking platforms.

Defensive priority

low

Recommended defensive actions

• Review Siemens ProductCERT advisory SSA-355557 for current product-specific guidance
• Verify SINEC OS version and applicable security patches through Siemens support channels
• Monitor CISA ICS advisories for any updates to impact assessment
• Apply defense-in-depth practices for industrial control systems per CISA guidance

Evidence notes

Source CISA CSAF advisory ICSA-25-226-07, republished 2026-02-25 based on Siemens ProductCERT SSA-355557. Siemens threat assessment categorizes impact as 'Misinformed' for all listed product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003). No CVSS vector provided in source.

Official resources