PatchSiren cyber security CVE debrief
CVE-2024-56602 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's IEEE 802.15.4 (low-rate wireless personal area network) subsystem. The flaw occurs in ieee802154_create() where sock_init_data() attaches an allocated sk object to a socket, but if subsequent initialization fails, the sk object is freed while a dangling pointer remains in the socket structure. This can lead to local denial of service conditions when the dangling pointer is later accessed. The vulnerability requires local access with low privileges and has been assigned a CVSS 3.1 score of 5.5 (MEDIUM). Siemens has identified affected industrial networking products including RUGGEDCOM RST2428P and SCALANCE switch families that incorporate the vulnerable kernel code.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Industrial control system operators, OT security teams, and network administrators managing Siemens RUGGEDCOM and SCALANCE infrastructure. Organizations with IEEE 802.15.4 wireless sensor networks or industrial IoT deployments using affected Siemens products. Security teams responsible for patch management in operational technology environments where kernel-level vulnerabilities may impact network availability.
Technical summary
The vulnerability exists in the ieee802154_create() function within the Linux kernel's net/ieee802154/af_ieee802154.c. When sock_init_data() successfully attaches a newly allocated sk object to the provided sock structure, but a subsequent error path in ieee802154_create() causes the function to fail, the sk object is freed via sock_put() or similar cleanup. However, the sock->sk pointer is not cleared, leaving a dangling reference. Subsequent operations on the socket that dereference sock->sk trigger use-after-free behavior, typically manifesting as kernel crashes or undefined behavior. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. The vulnerability affects Siemens industrial networking products running SINEC OS or embedded Linux derivatives incorporating the vulnerable kernel code: RUGGEDCOM RST2428P (6GK6242-6PA00), SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family. Remediation requires firmware updates to V3.2 or later versions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance
- Implement network segmentation for industrial control systems to limit local access vectors
- Monitor for anomalous process behavior or unexpected kernel panics on affected devices
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
CVE published 2025-08-12; CISA advisory ICSA-25-226-07 published same date. Siemens ProductCERT advisory SSA-355557 referenced as authoritative source. Advisory modified 2026-02-25 with republication based on updated Siemens guidance. CVSS vector confirms local attack vector with availability impact.
Official resources
-
CVE-2024-56602 CVE record
CVE.org
-
CVE-2024-56602 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12