CVE-2024-26839 Siemens CVE debrief

Who should care

Organizations running Linux systems with Intel Omni-Path (hfi1) InfiniBand adapters should ensure kernel patches are applied. Industrial operators using Siemens RUGGEDCOM RST2428P or SCALANCE X family devices with SINEC OS should monitor Siemens ProductCERT guidance, though the vendor assessment indicates this CVE is misinformed for these products.

Technical summary

The vulnerability exists in the Linux kernel's InfiniBand hfi1 (Intel Omni-Path) driver within the `init_credit_return` function. The issue involves a memory leak that occurs during initialization of credit return mechanisms. The fix resolves improper memory management in this driver path. While the underlying kernel vulnerability is valid, Siemens has assessed this CVE as 'Misinformed' for their specific product lineup, indicating the vulnerability does not affect their implementations as originally reported or the products are not vulnerable in their deployed configurations.

Defensive priority

low

Recommended defensive actions

• Review Siemens ProductCERT advisory SSA-613116 for product-specific guidance
• Verify SINEC OS version compliance (note: versions below 3.1 are not supported for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family)
• Apply kernel updates from Linux distribution maintainers if running affected IB/hfi1 driver code
• Follow CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

Source advisory ICSA-25-226-15 explicitly categorizes this CVE's impact as 'Misinformed' for all listed product IDs (CSAFPID-0001, CSAFPID-0003, CSAFPID-0004). The vulnerability description indicates a kernel-level memory leak fix in IB/hfi1 driver. Advisory revision history shows four updates, with the final republication on 2026-02-25 based on Siemens SSA-613116.

Official resources