PatchSiren cyber security CVE debrief
CVE-2024-50039 Siemens CVE debrief
A vulnerability in the Linux kernel's network scheduler (net/sched) allows local attackers to cause a denial of service (system crash) by exploiting improper handling of the TCA_STAB parameter on non-root queueing disciplines (qdiscs). The issue stems from an assumption that packet length remains invariant between enqueue() and dequeue() handlers, which fails when TCA_STAB is applied to child qdiscs rather than only the root qdisc. A syzbot-reproducible crash scenario involves combining Token Bucket Filter (TBF) with Stochastic Fairness Queueing (SFQ) and applying STAB to SFQ. Siemens has identified affected products in its industrial networking portfolio, including RUGGEDCOM RST2428P and SCALANCE switch families running SINEC OS. The vulnerability was resolved by restricting TCA_STAB acceptance to root qdisc only.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families) running SINEC OS with Linux kernel-based traffic control. System administrators managing Linux systems with custom tc/qdisc configurations. Industrial control system operators relying on network QoS mechanisms for deterministic traffic handling.
Technical summary
The Linux kernel's traffic control subsystem improperly accepts TCA_STAB (size table) parameters on non-root queueing disciplines. Most qdiscs maintain backlog counters using qdisc_pkt_len(skb), assuming packet length invariance between enqueue and dequeue operations. When TCA_STAB is applied to child qdiscs (e.g., SFQ under TBF), this assumption breaks, leading to counter corruption and system crash. The fix restricts TCA_STAB to root qdisc only, preventing the inconsistent state that enables the crash. Attack requires local access with privileges to configure network schedulers (typically CAP_NET_ADMIN).
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
- Review network traffic control configurations to ensure TCA_STAB is only applied at root qdisc level
- Monitor for anomalous local process activity attempting to manipulate qdisc configurations
- Implement principle of least privilege for accounts with CAP_NET_ADMIN capability
- Consult Siemens ProductCERT advisory SSA-355557 for product-specific remediation timelines and configuration guidance
Evidence notes
CVE published 2025-08-12 per official CVE record. CISA advisory ICSA-25-226-07 published same date. Siemens ProductCERT advisory SSA-355557 referenced as authoritative vendor source. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields 5.5 MEDIUM score, consistent with local attack vector and high availability impact. CWE-476 (NULL Pointer Dereference) cited in source references.
Official resources
-
CVE-2024-50039 CVE record
CVE.org
-
CVE-2024-50039 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12