PatchSiren cyber security CVE debrief
CVE-2024-38555 Siemens CVE debrief
CVE-2024-38555 is a use-after-free vulnerability in the Linux kernel's Mellanox mlx5 driver (net/mlx5). The flaw occurs when a firmware command completion arrives while the device is in an internal error state, triggering a refcount underflow and potential memory corruption. The vulnerability was resolved by discarding command completions in internal error states to prevent the completion handler from being called on freed memory. Siemens has identified this as affecting SINEC OS and related industrial network infrastructure products, with a vendor fix available in version 3.1 or later. The CVSS vector indicates network attack vector with high attack complexity, requiring no privileges but user interaction, with no impact to confidentiality, integrity, or availability in the scored configuration.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens industrial network infrastructure including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches; Linux kernel maintainers for systems with Mellanox ConnectX adapters; OT security teams managing industrial control system networks
Technical summary
The vulnerability exists in the net/mlx5 driver command completion handling path. When a Mellanox ConnectX device enters an internal error state, firmware may still generate completion events for pending commands. If these completions are processed normally, they can trigger cmd_ent_put() on command entries that have already been freed during error recovery, causing a refcount_t underflow and use-after-free condition. The fix discards such completions when the device is in internal error state, as the device will manually flush and trigger all completions during recovery. The kernel stack trace shows the crash path through irq_int_handler → mlx5_eq_async_int → mlx5_cmd_comp_handler → cmd_ent_put, with the refcount warning occurring in atomic context during interrupt handling.
Defensive priority
medium
Recommended defensive actions
- Apply vendor fix by updating affected Siemens products to SINEC OS V3.1 or later version
- Monitor kernel logs for refcount_t underflow warnings on systems using Mellanox mlx5-based networking hardware
- Review and implement CISA ICS recommended practices for industrial control system defense in depth
- Verify command completion handling in custom mlx5 driver implementations if maintaining out-of-tree kernel modules
- Assess exposure of affected network infrastructure devices to determine prioritization of patching activities
Evidence notes
The vulnerability description and kernel stack trace are sourced from the CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The fix involves modifying the mlx5 driver to discard command completions when the device is in internal error state, preventing use-after-free conditions. The kernel log shows refcount_t underflow warnings originating from cmd_ent_put and mlx5_cmd_comp_handler functions in the mlx5_core module.
Official resources
-
CVE-2024-38555 CVE record
CVE.org
-
CVE-2024-38555 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12