PatchSiren cyber security CVE debrief

CVE-2024-56600 Siemens CVE debrief

CVE-2024-56600 is a use-after-free vulnerability in the Linux kernel's IPv6 networking subsystem. The flaw occurs in inet6_create() where sock_init_data() attaches an allocated sk (socket) pointer to a sock object. If inet6_create() fails after this attachment, the sk object is released, but the sock object retains a dangling pointer to the freed memory. This dangling pointer can later be dereferenced, leading to use-after-free conditions with potential for privilege escalation or system instability. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH severity) with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector with low complexity and high impact on confidentiality, integrity, and availability. Siemens has identified affected products in their industrial networking equipment line, including RUGGEDCOM RST2428P and SCALANCE switch families running SINEC OS. The vulnerability was initially published on August 12, 2025, with subsequent modifications through February 25, 2026, including corrections to affected product lists and advisory republication based on Siemens ProductCERT SSA-355557.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE switch families, particularly those with IPv6-enabled networks in critical infrastructure, manufacturing, and utility environments. System administrators responsible for patch management in OT/ICS environments should prioritize this update due to the high severity and potential for privilege escalation.

Technical summary

The vulnerability exists in the Linux kernel's net/ipv6/af_inet6.c inet6_create() function. During IPv6 socket creation, sock_init_data() attaches a newly allocated struct sock (sk) pointer to the struct socket (sock) object. If subsequent initialization steps in inet6_create() fail, the error handling path releases the sk object via sock_put() or equivalent, but fails to clear the sock->sk pointer. This leaves a dangling reference in the socket structure. Subsequent operations on the socket (such as close, ioctl, or further protocol operations) may dereference this stale pointer, accessing freed memory. The use-after-free can lead to kernel memory corruption, potentially enabling local privilege escalation or denial of service. The fix involves explicitly setting sock->sk to NULL in the error handling path before releasing the sk object, ensuring no dangling reference remains.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration guidance and patch availability
Implement network segmentation to limit exposure of affected industrial control system devices
Monitor for anomalous network behavior or unexpected IPv6 socket operations on affected systems
Review and apply CISA ICS recommended practices for defense-in-depth strategies
Validate successful patch application through version verification and post-update system testing

Evidence notes

Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT SSA-355557. CVSS vector and score sourced from official CVE record. Remediation guidance specifies update to V3.2 or later for affected RUGGEDCOM and SCALANCE products.

Official resources

2025-08-12