PatchSiren cyber security CVE debrief

CVE-2024-41004 Linux CVE debrief

CVE-2024-41004 is a Linux kernel tracing subsystem issue where kprobes and synthetic event generation test modules, when compiled as built-in rather than loadable modules, leave event file references permanently locked in the kernel. The root cause stems from the module design pattern: these test modules acquire event file references during initialization and release them during exit. When built into the kernel monolithically, the exit routine never executes, causing the references to remain locked indefinitely. This results in resource leakage that could affect kernel stability and tracing functionality over time. The vulnerability carries a CVSS 5.9 (MEDIUM) score and was published on August 12, 2025. Siemens has identified this CVE as affecting certain industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, though the CISA advisory marks the impact assessment as 'Misinformed' for the tracked product IDs. The issue was addressed by restricting these test modules to build only as loadable modules rather than built-in kernel components.

Vendor: Linux
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

System administrators managing Siemens industrial networking equipment running SINEC OS, particularly RUGGEDCOM RST2428P and SCALANCE XC/XR series switches. Kernel developers and maintainers building custom Linux kernels for embedded or industrial systems should verify their configurations avoid built-in compilation of tracing test code. Security teams in OT/ICS environments should track this as part of kernel hygiene and supply chain risk management.

Technical summary

The vulnerability exists in the Linux kernel's tracing infrastructure, specifically in test modules for kprobes and synthetic event generation. These modules follow a pattern where they register events and acquire references during module initialization, then release those references during module exit. When compiled as built-in kernel code rather than loadable kernel modules (LKMs), the exit function is never invoked, leaving event file references permanently locked. This constitutes a resource leak that could degrade tracing functionality over time. The fix ensures these test modules can only be built as loadable modules, preventing the problematic built-in configuration.

Defensive priority

medium

Recommended defensive actions

Review kernel build configurations for affected Siemens industrial devices to ensure tracing test modules are not compiled as built-in components
Apply vendor-provided firmware updates for RUGGEDCOM RST2428P and SCALANCE XC/XR family devices when available per Siemens ProductCERT guidance
Monitor kernel logs for tracing subsystem anomalies that may indicate resource exhaustion from locked event references
Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Verify that custom kernel builds for affected products explicitly configure CONFIG_ options to build tracing test code as modules only

Evidence notes

The vulnerability description indicates this is a build configuration issue in the Linux kernel tracing subsystem. The CISA CSAF source (ICSA-25-226-07) lists this CVE with 'Misinformed' impact classification for the affected Siemens product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003). The advisory was republished on February 25, 2026 based on Siemens ProductCERT SSA-355557. No KEV listing or known ransomware campaign use is documented.

Official resources

2025-08-12