PatchSiren cyber security CVE debrief
CVE-2024-56576 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's TC358743 HDMI-to-CSI-2 bridge driver (media: i2c: tc358743). When the driver's probe() function encounters an error after arming a polling timer, the timer is not properly cancelled before cleanup. The timer subsequently fires with pointers to already-freed memory, causing a kernel crash. This is a local attack vector requiring low privileges with no user interaction. The vulnerability affects Siemens industrial networking products running SINEC OS that incorporate the vulnerable kernel component.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH series switches running SINEC OS. System administrators responsible for OT/ICS network infrastructure security. Security teams monitoring for kernel-level vulnerabilities in embedded Linux systems used in industrial environments.
Technical summary
The TC358743 is an HDMI-to-CSI-2 bridge chip commonly used in embedded video capture applications. The Linux kernel driver for this device uses a polling timer to check hardware status. During the probe() initialization path, if certain operations succeed (arming the timer) but subsequent operations fail, the driver's error handling path does not cancel the armed timer. When probe() returns an error, the driver's private data structures are freed. However, the still-armed timer fires later and attempts to access the freed memory, resulting in a use-after-free condition that manifests as a kernel crash (denial of service). The vulnerability is exploitable only locally with low privileges, as it requires the ability to trigger probe() failure conditions (e.g., through hardware manipulation or resource exhaustion). The primary impact is availability loss through system crash.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to address the underlying kernel vulnerability in affected Siemens industrial networking products
- For RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family, update to firmware version V3.2 or later
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific update guidance
- Implement defense-in-depth strategies for industrial control systems as recommended by CISA
- Monitor for anomalous system crashes or unexpected reboots on affected devices that could indicate exploitation attempts
- Restrict physical and logical access to affected devices to authorized personnel only
- Follow Siemens ProductCERT security advisories for additional remediation guidance
Evidence notes
The vulnerability description indicates a classic use-after-free pattern in kernel driver error handling. The polling timer mechanism in the TC358743 driver arms a timer during probe, but if probe fails after this point, the timer is not removed before the driver tears down its data structures. When the timer expires, it dereferences freed memory. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms local attack vector with low attack complexity, low privileges required, no user interaction, and high availability impact (crash). The vulnerability is not in KEV and has no known ransomware campaign use.
Official resources
-
CVE-2024-56576 CVE record
CVE.org
-
CVE-2024-56576 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12