PatchSiren cyber security CVE debrief
CVE-2024-49903 Linux CVE debrief
CVE-2024-49903 is a use-after-free (UAF) vulnerability in the Linux kernel's JFS (Journaled File System) implementation, specifically within the `dbFreeBits` function in `fs/jfs/jfs_dmap.c`. The vulnerability stems from a race condition between two code paths—`dbUnmount` and `jfs_ioc_trim`—that concurrently access the `bmap` structure without proper synchronization. The fix introduces the `s_umount` lock to synchronize these paths and prevent the UAF condition. Siemens has assessed this vulnerability as **Misinformed** for affected industrial control system products, indicating the vulnerability does not apply to their specific product configurations or the risk is otherwise mitigated in their environment.
- Vendor
- Linux
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers and users of JFS filesystems; operators of Siemens industrial networking equipment (RUGGEDCOM, SCALANCE families) should verify vendor impact assessment
Technical summary
The vulnerability exists in the JFS filesystem's disk map management code. The `dbFreeBits` function can access freed memory when a race condition occurs between filesystem unmount (`dbUnmount`) and the discard/trim ioctl (`jfs_ioc_trim`). Both paths manipulate the `bmap` structure without adequate locking. The kernel fix adds `s_umount` lock synchronization to prevent concurrent access. The syzbot-reported crash occurred in kernel 6.11.0-rc3 with KASAN enabled, demonstrating the UAF through a slab memory corruption detected during mutex lock operations.
Defensive priority
low
Recommended defensive actions
- Verify Linux kernel version and apply upstream JFS patch if running affected kernel versions with JFS filesystem support
- Review Siemens ProductCERT advisory SSA-355557 for specific product impact assessments
- For Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family products, confirm vendor assessment that vulnerability is 'Misinformed' for your deployment
- Follow CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
- Monitor CISA ICS advisories for any updates to product impact assessments
Evidence notes
The vulnerability was originally reported by syzbot and resolved in the Linux kernel. The KASAN (Kernel Address Sanitizer) report shows a slab-use-after-free occurring in `__mutex_lock` when called from `dbFreeBits`, with the freed memory having been released by `dbUnmount` while `jfs_ioc_trim` was still accessing it. Siemens ProductCERT advisory SSA-355557 and CISA advisory ICSA-25-226-07 both track this CVE. The CISA advisory was initially published on 2025-08-12 and most recently updated on 2026-02-25 to reflect republication based on the Siemens advisory. The threat assessment of 'Misinformed' indicates Siemens has determined this vulnerability does not pose a practical risk to their listed products.
Official resources
-
CVE-2024-49903 CVE record
CVE.org
-
CVE-2024-49903 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12