PatchSiren cyber security CVE debrief
CVE-2024-40987 Linux CVE debrief
This CVE describes a UBSAN (Undefined Behavior Sanitizer) warning in the Linux kernel's AMDGPU driver, specifically in the kv_dpm.c file related to dynamic power management for Kabini/Temash APUs. The source advisory (ICSA-25-226-07) marks this vulnerability as 'Misinformed' for the listed Siemens products, indicating the CVE was initially thought to affect these products but was later determined not to be applicable or was incorrectly attributed. The advisory was initially published on 2025-08-12 and underwent multiple revisions through 2026-02-25, including corrections to affected product lists and removal of rejected CVEs. No CVSS score or severity is available in the source data.
- Vendor
- Linux
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens RUGGEDCOM or SCALANCE industrial networking equipment should verify this CVE is not applicable to their assets. Organizations using Linux systems with AMD Kabini/Temash APUs and AMDGPU drivers should monitor kernel security updates for the underlying UBSAN issue.
Technical summary
The vulnerability is a UBSAN (Undefined Behavior Sanitizer) warning in the Linux kernel's AMDGPU DRM driver, specifically in the kv_dpm.c file which handles dynamic power management for AMD Kabini and Temash APUs. UBSAN warnings indicate potential undefined behavior that could lead to instability or security issues. However, the source CISA advisory ICSA-25-226-07 explicitly marks this CVE's impact as 'Misinformed' for the listed Siemens industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families), indicating the CVE does not actually affect these products. The advisory underwent multiple revisions between 2025-08-12 and 2026-02-25 to correct product attribution, with the final revision based on Siemens ProductCERT guidance.
Defensive priority
low
Recommended defensive actions
- Verify asset inventory against affected product lists in source advisory to confirm non-applicability
- Monitor Siemens ProductCERT SSA-355557 for any future clarifications
- Review kernel update practices for Linux-based systems using AMDGPU drivers
- Apply standard defense-in-depth practices for industrial control systems per CISA guidance
Evidence notes
Source advisory ICSA-25-226-07 explicitly categorizes impact as 'Misinformed' for all listed product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003). The CVE description references a Linux kernel AMDGPU driver issue (drm/amdgpu: UBSAN warning in kv_dpm.c) which appears unrelated to the Siemens industrial networking products listed (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family). The 2026-02-25 revision specifically notes this was a 'CISA Republication update based on Siemens ProductCERT SSA-355557 advisory', suggesting coordinated vendor clarification.
Official resources
-
CVE-2024-40987 CVE record
CVE.org
-
CVE-2024-40987 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12