PatchSiren cyber security CVE debrief
CVE-2024-49895 Linux CVE debrief
CVE-2024-49895 is a buffer overflow vulnerability in the AMD display driver subsystem (drm/amd/display). The flaw exists in the cm_helper_translate_curve_to_degamma_hw_format function, where an index 'i' could access transfer function points outside valid bounds. The fix adds a bounds check to prevent out-of-bounds memory access. This vulnerability was published on 2025-08-12 and last modified on 2026-02-25. The CISA advisory ICSA-25-226-07, republished on 2026-02-25, covers this CVE as part of Siemens' third-party component security advisory SSA-355557. Notably, the CISA advisory marks the impact as 'Misinformed' for the affected Siemens products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family), suggesting these products may not actually be vulnerable to this specific issue despite initial listing. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Linux
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE switches) should verify actual vulnerability status given the 'Misinformed' impact designation. Organizations with Linux-based industrial systems using AMD graphics hardware should ensure kernel patches are applied. ICS security teams should treat this as a low-priority informational item pending clarification from Siemens.
Technical summary
The vulnerability exists in the Linux kernel's AMD display driver (drm/amd/display), specifically in cm_helper_translate_curve_to_degamma_hw_format. The function lacked proper bounds checking on index 'i' when accessing transfer function points, potentially leading to buffer overflow. The fix adds a validation check to ensure array index bounds are respected. This is a third-party component vulnerability affecting the Linux kernel rather than native Siemens product code. The CISA advisory explicitly marks impact as 'Misinformed' for the three Siemens product families listed, indicating these products may have been incorrectly associated with this CVE.
Defensive priority
low
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for definitive product impact assessment, as CISA marks impact as 'Misinformed' for listed products
- Verify whether deployed Siemens devices (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families) actually incorporate the vulnerable AMD display driver component
- If Linux-based systems with AMD graphics are present in industrial environments, ensure kernel updates include the bounds check fix for drm/amd/display
- Apply standard ICS defense-in-depth practices per CISA guidance for industrial control systems
- Monitor for updated Siemens advisories that may clarify actual affected product status
Evidence notes
The source CISA CSAF advisory ICSA-25-226-07 explicitly marks the impact for affected product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003) as 'Misinformed' in the threats section. The advisory was republished on 2026-02-25 based on Siemens ProductCERT SSA-355557. The CVE description indicates this is a Linux kernel AMD display driver fix for a bounds check, which is a third-party component issue rather than native Siemens code.
Official resources
-
CVE-2024-49895 CVE record
CVE.org
-
CVE-2024-49895 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12