PatchSiren cyber security CVE debrief
CVE-2024-50251 Siemens CVE debrief
CVE-2024-50251 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nft_payload module. The issue occurs when offset and length parameters are not properly sanitized before calling skb_checksum(). If the combined offset and length exceed the actual skbuff (socket buffer) length, skb_checksum() triggers a BUG_ON() assertion, resulting in a kernel crash and denial of service. The vulnerability requires local access with low privileges and has a medium severity CVSS score of 5.5. Siemens has identified affected products in their industrial networking equipment lines, including RUGGEDCOM RST2428P and SCALANCE families, which incorporate the vulnerable Linux kernel components. The vulnerability was published on August 12, 2025, with the advisory last modified on February 25, 2026.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. System administrators managing Linux-based industrial control systems with nftables enabled. Security teams responsible for OT/ICS network infrastructure availability.
Technical summary
The vulnerability exists in the Linux kernel's netfilter framework, specifically the nft_payload module used for packet payload manipulation in nftables. The function skb_checksum() expects that the length parameter provided will be fully consumed when iterating over the socket buffer. When nft_payload passes unsanitized offset and length values where offset + length exceeds the actual skbuff length, skb_checksum() fails its internal BUG_ON(len) assertion at the end of processing. This results in an immediate kernel panic. The vulnerability is exploitable by local users with the ability to configure nftables rules, requiring only low privileges and no user interaction. The attack complexity is low, with no impact to confidentiality or integrity, but high availability impact due to system crash.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to affected Siemens industrial networking products: update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family to V3.2 or later
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and patch availability
- Implement network segmentation to limit local access to affected industrial control systems
- Monitor for unexpected system crashes or reboots in affected Siemens networking equipment that may indicate exploitation attempts
- Apply principle of least privilege to limit local user access on systems running affected kernel versions
Evidence notes
The vulnerability description is sourced from CISA ICS advisory ICSA-25-226-07, which republishes Siemens ProductCERT advisory SSA-355557. The technical details indicate this is a kernel-level bug in netfilter's nft_payload implementation where insufficient bounds checking leads to a BUG_ON() trigger in skb_checksum() when offset+length exceeds skbuff boundaries.
Official resources
-
CVE-2024-50251 CVE record
CVE.org
-
CVE-2024-50251 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12