PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-31076 Siemens CVE debrief

## Summary CVE-2024-31076 is a Linux kernel vulnerability in the x86 interrupt vector management subsystem that can cause a CPU vector resource leak during CPU hotplug operations. The issue occurs when interrupt affinity is reconfigured via procfs and the original CPU goes offline before the interrupt triggers on the new target CPU, preventing proper cleanup of the old vector allocation. ## Technical Analysis The vulnerability stems from a race condition in the interrupt migration path when `IRQD_MOVE_PCNTXT` is not set. When interrupt affinity is changed through procfs, the reconfiguration is deferred until the next interrupt trigger on the original CPU. At that point, `__irq_move_irq()` allocates a new vector on the target CPU but leaves the old vector on the original CPU marked with `apicd->move_in_progress`, deferring reclamation until the interrupt fires on the new CPU. The failure path occurs when the original CPU goes offline before the interrupt triggers on the new CPU. In this scenario, `irq_force_complete_move()` is not invoked on the outgoing CPU because `irq_needs_fixup()` returns falseā€”the interrupt is no longer affine to that CPU. Subsequently, `__vector_schedule_cleanup()` on the new CPU resets `apicd->move_in_progress` and `apicd->prev_vector` to zero without reclaiming the vector, leaving it permanently allocated in `vector_matrix`. The kernel fix reorders operations to invoke `irq_force_complete_move()` before the `irq_needs_fixup()` check when the interrupt was previously affine to the outgoing CPU, and adds a reclamation path in `__vector_schedule_cleanup()` with appropriate warning diagnostics. ## Affected Products Per the CISA CSAF advisory ICSA-25-226-15, Siemens has identified the following affected product: - **RUGGEDCOM RST2428P (6GK6242-6PA00)** running SINEC OS The following Siemens product families were evaluated and determined **not affected**: - SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family - SCALANCE XCM-/XRM-/XCH-/XRH-300 family ## Remediation Siemens provides a vendor fix: update affected RUGGEDCOM RST2428P devices to **SINEC OS V3.1 or later**. The advisory was initially published on 2025-08-12 and most repu

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
NONE
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Operators of Siemens RUGGEDCOM RST2428P industrial networking equipment running SINEC OS versions prior to V3.1; security teams managing industrial control system (ICS) environments with Linux-based embedded systems utilizing CPU hotplug capabilities.

Technical summary

Linux kernel vulnerability in genirq/cpuhotplug and x86/vector subsystems where deferred interrupt affinity migration during CPU offline can leak APIC vector resources. Root cause: race between vector cleanup timer and CPU offline when IRQD_MOVE_PCNTXT is absent, causing irq_force_complete_move() to be skipped and __vector_schedule_cleanup() to zero prev_vector without reclamation. Fixed by reordering irq_force_complete_move() invocation and adding defensive reclamation in cleanup path.

Defensive priority

medium

Recommended defensive actions

  • Update affected RUGGEDCOM RST2428P devices to SINEC OS V3.1 or later per vendor guidance
  • Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
  • Monitor Siemens ProductCERT advisory SSA-613116 for additional product impact assessments

Evidence notes

CVE published 2025-08-12; modified 2026-02-25. Source: CISA CSAF advisory ICSA-25-226-15, which republishes Siemens ProductCERT SSA-613116. Affected product confirmed via CSAF product tree: RUGGEDCOM RST2428P (6GK6242-6PA00). Remediation: update to V3.1 or later per vendor_fix remediation object.

Official resources

2025-08-12