PatchSiren cyber security CVE debrief
CVE-2024-47696 Siemens CVE debrief
A use-after-free vulnerability in the Linux kernel's RDMA/iwcm (iWARP Connection Manager) subsystem, affecting Siemens industrial networking products. The flaw stems from improper workqueue handling where `flush_workqueue()` is called on `iwcm_wq` without the `WQ_MEM_RECLAIM` flag, violating kernel workqueue forward-progress guarantees and potentially causing deadlocks. This is a local privilege escalation vulnerability with HIGH severity (CVSS 7.8).
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH series managed switches in industrial control system environments. System administrators responsible for OT/ICS network infrastructure, security teams managing critical infrastructure, and compliance officers tracking CVE remediation for NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks.
Technical summary
The vulnerability exists in the Linux kernel's RDMA/iwcm subsystem where improper workqueue flag configuration creates a deadlock risk. Specifically, `iwcm_wq` is created with `alloc_ordered_workqueue()` without `WQ_MEM_RECLAIM`, but `flush_workqueue()` is subsequently called on it. The kernel's `check_flush_dependency()` validates that when flushing a workqueue without `WQ_MEM_RECLAIM`, the calling context must not be in memory reclaim or running on another non-reclaim workqueue. Violation breaks forward-progress guarantees and can deadlock. This is classified as CWE-416 (Use After Free) with local attack vector, low attack complexity, and high impact to confidentiality, integrity, and availability.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family products per Siemens ProductCERT guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration-dependent patch guidance
- Implement network segmentation to isolate affected industrial control system devices from untrusted networks
- Monitor for anomalous local access attempts to affected devices, as exploitation requires local access (AV:L)
- Apply principle of least privilege for administrative access to affected Siemens networking equipment
- Review and apply CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
The vulnerability was resolved in the Linux kernel via commit addressing the WARNING at kernel/workqueue.c in `check_flush_dependency`. The root cause was introduced in commit aee2424246f9 (RDMA/iwcm: Fix a use-after-free related to destroying CM IDs) where `flush_workqueue` was invoked on `iwcm_wq` created via `alloc_ordered_workqueue` without `WQ_MEM_RECLAIM` flag. This violates kernel workqueue constraints that require `WQ_MEM_RECLAIM` when flushing from contexts that may be involved in memory reclaim or non-reclaim workqueues, breaking forward-progress guarantees and leading to potential deadlock. Siemens ProductCERT SSA-355557 and CISA ICSA-25-226-07 provide vendor-specific impact assessment for affected industrial control system products.
Official resources
-
CVE-2024-47696 CVE record
CVE.org
-
CVE-2024-47696 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12