PatchSiren cyber security CVE debrief
CVE-2024-56601 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's networking stack within the `inet_create()` function. When socket initialization attaches an `sk` object to a `sock` object via `sock_init_data()`, a subsequent failure in `inet_create()` frees the `sk` object but leaves a dangling pointer in the `sock` structure. This dangling pointer can lead to memory corruption and potential privilege escalation when the socket is later accessed. The vulnerability is rated HIGH severity (CVSS 7.8) with local attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Siemens has identified affected products in their industrial networking portfolio including RUGGEDCOM RST2428P and SCALANCE switch families running SINEC OS. The issue was resolved in the upstream Linux kernel by clearing the `sk` pointer in the `sock` object upon error.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH switch families running SINEC OS. System administrators responsible for patch management in operational technology environments. Security teams monitoring Linux kernel vulnerabilities affecting embedded industrial systems. Compliance officers tracking CVE remediation for critical infrastructure assets.
Technical summary
The vulnerability resides in `net/ipv4/af_inet.c` where `inet_create()` calls `sock_init_data()` to associate a newly allocated `struct sock` (`sk`) with a `struct socket` (`sock`). If any subsequent initialization step fails, the error path releases the `sk` object via `sk_free()` but fails to nullify `sock->sk`. The dangling pointer persists in the socket structure, and any subsequent operation referencing `sock->sk` operates on freed memory. The fix clears `sock->sk = NULL` in the error path to prevent use-after-free conditions. This vulnerability is exploitable locally with low privileges and can result in complete system compromise due to kernel memory corruption.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
- Review SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configurations for specific affected variants as noted in vendor advisory
- Implement network segmentation for industrial control systems to limit local attack vector exposure
- Monitor for anomalous socket-related behavior in SINEC OS deployments pending patch application
- Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
CVE published 2025-08-12 per official CVE record. CISA ICS advisory ICSA-25-226-07 published same date. Siemens ProductCERT advisory SSA-355557 provides vendor-specific remediation guidance. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local privilege escalation potential with high impact across CIA triad.
Official resources
-
CVE-2024-56601 CVE record
CVE.org
-
CVE-2024-56601 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12