PatchSiren cyber security CVE debrief
CVE-2024-49890 Linux CVE debrief
CVE-2024-49890 is a null pointer dereference vulnerability in the Linux kernel's AMD Power Management (drm/amd/pm) subsystem. The issue was identified by Coverity static analysis, which flagged a potential dereference of a null return value. The upstream Linux kernel fix ensures that fw_info is validated as non-null before use. Siemens has assessed this CVE as **Misinformed** for its affected industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family), indicating the vulnerability does not actually affect these products as initially reported. The CVE was published on 2025-08-12 and last modified on 2026-02-25 following CISA republication based on updated Siemens ProductCERT guidance. No CVSS score or severity is currently assigned. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Linux
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens RUGGEDCOM and SCALANCE networking equipment; security teams tracking Linux kernel vulnerabilities in OT environments; compliance personnel assessing CVE applicability to industrial assets
Technical summary
CVE-2024-49890 addresses a null pointer dereference vulnerability in the Linux kernel's DRM/AMD Power Management (drm/amd/pm) subsystem. The issue was detected by Coverity static analysis, which identified a code path where fw_info could be dereferenced without null validation. The upstream fix adds a null check before using fw_info. Siemens has evaluated this CVE against its industrial networking product portfolio and determined the impact assessment is 'Misinformed'—meaning the vulnerability does not actually affect the listed products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family). The advisory underwent multiple revisions, with the final 2026-02-25 republication aligning with Siemens ProductCERT SSA-355557. No CVSS score is assigned, and the CVE is not in the KEV catalog.
Defensive priority
low
Recommended defensive actions
- Verify that affected Siemens industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families) are running current firmware versions as maintained by Siemens ProductCERT
- Review Siemens ProductCERT advisory SSA-355557 for definitive product impact assessments
- Apply standard ICS security practices per CISA recommended practices for industrial control systems
- No patching action required for this specific CVE on affected Siemens products based on vendor 'Misinformed' assessment
- Monitor CISA ICS advisories for any future changes to impact assessment
Evidence notes
The source advisory (ICSA-25-226-07) explicitly categorizes the impact of this CVE as 'Misinformed' for all listed Siemens products, indicating the vulnerability was incorrectly flagged as affecting these systems. The underlying Linux kernel issue was a static analysis finding (Coverity) for a null pointer dereference in drm/amd/pm, resolved by adding a null check for fw_info. The advisory revision history shows multiple updates, with the 2026-02-25 republication reflecting final alignment with Siemens ProductCERT SSA-355557.
Official resources
-
CVE-2024-49890 CVE record
CVE.org
-
CVE-2024-49890 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12