PatchSiren cyber security CVE debrief
CVE-2024-49936 Siemens CVE debrief
A use-after-free (UAF) vulnerability exists in the Linux kernel's Xen netback driver (net/xen-netback). The flaw occurs in the xenvif_flush_hash() function during list_for_each_entry_rcu iteration, where kfree_rcu is not properly protected within the RCU read critical section. If kfree_rcu is invoked when the RCU grace period ends during iteration, accessing head->next after the entry becomes free results in UAF. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE switch families. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity) with local attack vector, low attack complexity, and low privileges required, with high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 family switches in industrial environments. System administrators responsible for OT network security and availability. Security teams monitoring Linux kernel vulnerabilities affecting embedded industrial systems.
Technical summary
The vulnerability stems from improper RCU (Read-Copy-Update) synchronization in the xenvif_flush_hash() function of the Xen netback driver. During list_for_each_entry_rcu iteration, the kfree_rcu operation is not contained within the RCU read critical section. This timing window allows the RCU grace period to complete while iteration is ongoing, resulting in use-after-free when subsequent access to head->next occurs on freed memory. The flaw is classified under CWE-416 (Use After Free). Affected Siemens products incorporate this vulnerable kernel component in their SINEC OS firmware. Successful exploitation could cause denial of service conditions in network infrastructure devices.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products
- Review Siemens ProductCERT advisory SSA-355557 for specific product configuration guidance
- Implement network segmentation for industrial control systems per CISA recommended practices
- Monitor for anomalous behavior in affected network infrastructure devices
- Validate that RCU-protected data structures in custom kernel modules follow proper critical section boundaries
Evidence notes
CVE published 2025-08-12 per official CVE record. CISA ICS advisory ICSA-25-226-07 published same date. Advisory modified 2026-02-25 with republication based on Siemens ProductCERT SSA-355557. Vendor fix requires update to V3.2 or later for affected products.
Official resources
-
CVE-2024-49936 CVE record
CVE.org
-
CVE-2024-49936 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12