PatchSiren cyber security CVE debrief
CVE-2024-47668 Siemens CVE debrief
A race condition in the Linux kernel's generic radix tree implementation (lib/generic-radix-tree.c) affects Siemens industrial networking products running SINEC OS. The vulnerability in __genradix_ptr_alloc() can lead to denial of service conditions. Siemens has released firmware updates to address this issue in affected RUGGEDCOM and SCALANCE product families.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 devices in industrial control system environments. System administrators responsible for firmware lifecycle management in OT networks. Security teams monitoring CVEs affecting embedded Linux systems in critical infrastructure.
Technical summary
The vulnerability exists in __genradix_ptr_alloc() within lib/generic-radix-tree.c, a Linux kernel data structure implementation used for memory-efficient storage of sparse arrays. A race condition during pointer allocation can result in memory corruption or null pointer dereferences, leading to system crashes or denial of service. The affected code path requires local access with low privileges, consistent with the CVSS attack vector metrics. Siemens has integrated Linux kernel components into SINEC OS, which powers multiple industrial Ethernet switch product lines.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates: update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to version 3.2 or later
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Siemens advisory SSA-355557 for specific configuration guidance and patch availability
- Implement network segmentation for industrial control systems to limit local access vectors
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Monitor Siemens ProductCERT advisories for additional updates to affected product configurations
Evidence notes
CISA published advisory ICSA-25-226-07 on 2025-08-12, subsequently updated on 2026-02-25 to reflect corrections to affected product lists and clarifications on SCALANCE family configurations. The advisory references Siemens ProductCERT advisory SSA-355557. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, requiring low privileges, resulting in high availability impact.
Official resources
-
CVE-2024-47668 CVE record
CVE.org
-
CVE-2024-47668 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public