Lucene search
+L

Siemens RUGGEDCOM RST2428P Active Debug Code (CVE-2026-22977)

🗓️ 18 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 11 Views

Linux kernel fix for hardened usercopy panic in socket error queue due to skbuff_fclone_cache.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(505385);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/17");

  script_cve_id("CVE-2026-22977");
  script_xref(name:"ICSA", value:"26-188-05");

  script_name(english:"Siemens RUGGEDCOM RST2428P Active Debug Code (CVE-2026-22977)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
net: sock: fix hardened usercopy panic in sock_recv_errqueue
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().    The crash occurs when: 1.
TCP allocates an skb using alloc_skb_fclone()     (from
skbuff_fclone_cache) [1]  2. The skb is cloned via skb_clone() using
the pre-allocated fclone  [3] 3. The cloned skb is queued to
sk_error_queue for timestamp  reporting 4. Userspace reads the error
queue via recvmsg(MSG_ERRQUEUE)  5. sock_recv_errqueue() calls
put_cmsg() to copy serr->ee from skb->cb  [4] 6. __check_heap_object()
fails because skbuff_fclone_cache has no     usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:    [
5.379589] usercopy: Kernel memory exposure attempt detected from SLUB
object 'skbuff_fclone_cache' (offset 296, size 16)!  [    5.382796]
kernel BUG at mm/usercopy.c:102!  [    5.383923] Oops: invalid opcode:
0000 [#1] SMP KASAN NOPTI  [    5.384903] CPU: 1 UID: 0 PID: 138 Comm:
poc_put_cmsg Not tainted 6.12.57 #7  [    5.384903] Hardware name:
QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014  [
5.384903] RIP: 0010:usercopy_abort+0x6c/0x80  [    5.384903] Code: 1a
86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48
c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490  [
5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246  [    5.384903]
RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74  [
5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI:
ffffffff87b973a0  [    5.384903] RBP: 0000000000000010 R08:
0000000000000000 R09: fffffbfff0f72e74  [    5.384903] R10:
0000000000000003 R11: 79706f6372657375 R12: 0000000000000001  [
5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15:
ffffea00003c2b00  [    5.384903] FS:  0000000011bc4380(0000)
GS:ffff8880bf100000(0000) knlGS:0000000000000000  [    5.384903] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033  [    5.384903] CR2:
000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0  [
5.384903] PKRU: 55555554  [    5.384903] Call Trace:  [    5.384903]
<TASK>  [    5.384903]  __check_heap_object+0x9a/0xd0  [    5.384903]
__check_object_size+0x46c/0x690  [    5.384903]  put_cmsg+0x129/0x5e0
[    5.384903]  sock_recv_errqueue+0x22f/0x380  [    5.384903]
tls_sw_recvmsg+0x7ed/0x1960  [    5.384903]  ?
srso_alias_return_thunk+0x5/0xfbef5  [    5.384903]  ?
schedule+0x6d/0x270  [    5.384903]  ?
srso_alias_return_thunk+0x5/0xfbef5  [    5.384903]  ?
mutex_unlock+0x81/0xd0  [    5.384903]  ? __pfx_mutex_unlock+0x10/0x10
[    5.384903]  ? __pfx_tls_sw_recvmsg+0x10/0x10  [    5.384903]  ?
_raw_spin_lock_irqsave+0x8f/0xf0  [    5.384903]  ?
_raw_read_unlock_irqrestore+0x20/0x40  [    5.384903]  ?
srso_alias_return_thunk+0x5/0xfbef5    The crash offset 296
corresponds to skb2->cb within skbuff_fclones:    - sizeof(struct
sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -    offset of
skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =    272 + 24
(inside sock_exterr_skb.ee)    This patch uses a local stack variable
as a bounce buffer to avoid the hardened usercopy check failure.
[1]
https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c
#L5104  [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/
skbuff.c#L5566  [4] https://elixir.bootlin.com/linux/v6.12.62/source/n
et/core/skbuff.c#L5491  [5]
https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-253495.html");
  script_set_attribute(attribute:"see_also", value:"https://support.industry.siemens.com/cs/ww/en/view/110002573/");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/ICSA-26-188-05");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-22977");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(489);

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rst2428p_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:ruggedcom_rst2428p_firmware" :
        {"family" : "RuggedCom", "orderNumbers" : ['6GK6242-6PA00'], "versionEndExcluding" : "4.0"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jul 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.15.5
EPSS0.00126
SSVC
11