PatchSiren cyber security CVE debrief
CVE-2024-57951 Siemens CVE debrief
CVE-2024-57951 is a high-severity vulnerability in the Linux kernel's high-resolution timer (hrtimer) subsystem, specifically affecting CPU hotplug handling. The flaw occurs when a CPU transitions from CPUHP_ONLINE to CPUHP_HRTIMERS_PREPARE during a hotunplug operation, then returns to online state without properly resetting per-CPU state. This leaves stale state including dangling pointers, causes CFS to incorrectly assume hrtick is active, prevents clockevent devices from transitioning to oneshot mode, and triggers WARN_ON_ONCE assertions in enqueue_hrtimer(). The vulnerability was resolved by adding a startup() callback to reset stale per-CPU state and set the online flag correctly. Siemens has identified affected products in their industrial networking equipment lines and provided vendor fixes.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE switch families, particularly those in critical infrastructure sectors with systems utilizing CPU hotplug capabilities or dynamic resource management. System administrators of Linux-based industrial control systems should prioritize this patch due to the potential for memory corruption and timer subsystem instability.
Technical summary
The vulnerability exists in the Linux kernel's high-resolution timer (hrtimer) subsystem during CPU hotplug operations. When a CPU undergoes a partial hotunplug (reaching CPUHP_HRTIMERS_PREPARE but not completing) and returns to CPUHP_ONLINE, the hrtimers_prepare_cpu() callback does not execute. This leaves cpu_base.hres_active set to 1, cpu_base.online unset (causing WARN_ON_ONCE in enqueue_hrtimer()), and per-CPU state including potential dangling pointers unreset. The tick and clockevents shutdown at CPUHP_AP_TICK_DYING during unplug is not properly recovered, causing CFS to assume hrtick remains active and preventing clockevent oneshot mode transition. The fix introduces a startup() callback to properly reset state and set the online flag when returning from incomplete hotunplug sequences.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE product families per Siemens ProductCERT guidance
- Review SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configurations for specific patch applicability as noted in vendor advisory
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
- Monitor for kernel WARN_ON_ONCE messages in enqueue_hrtimer() as potential indicators of vulnerable state conditions
- Prioritize patching systems with frequent CPU hotplug operations or dynamic resource allocation
- Validate hrtimer subsystem stability after system resume from suspend or CPU hotplug events
Evidence notes
CVE description confirms Linux kernel hrtimer CPU hotplug state handling flaw with dangling pointer risk. CISA ICS advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557 identify affected industrial products. CVSS 7.8 (HIGH) with local attack vector, low attack complexity, low privileges required, no user interaction. CWE-416 (Use After Free) classification. Vendor fixes specify update to V3.2 or later for RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family; additional information required for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configuration.
Official resources
-
CVE-2024-57951 CVE record
CVE.org
-
CVE-2024-57951 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12