PatchSiren cyber security CVE debrief
CVE-2024-40901 Siemens CVE debrief
CVE-2024-40901 is a Linux kernel vulnerability in the mpt3sas SCSI driver that was resolved by avoiding test/set_bit() operations on non-allocated memory. The vulnerability involves improper memory access in the SCSI mpt3sas driver where bit manipulation functions could operate on memory that had not been properly allocated, potentially leading to undefined behavior or system instability. The issue was addressed in the Linux kernel with a fix that ensures these bit operations only occur on properly allocated memory regions. Siemens has assessed this CVE as 'Misinformed' for their affected product lines, indicating that the vulnerability does not actually affect their products as initially reported. The advisory was originally published on August 12, 2025, and has undergone multiple revisions, with the most recent update on February 25, 2026, which was a CISA republication based on Siemens ProductCERT SSA-355557 advisory. No CVSS score or severity rating is available for this CVE.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
System administrators managing Linux-based industrial control systems, OT security teams monitoring Siemens SCALANCE and RUGGEDCOM product lines, kernel maintainers for distributions shipping mpt3sas driver, and CISOs responsible for vulnerability management programs in industrial environments should monitor this advisory for definitive product impact assessments from Siemens.
Technical summary
CVE-2024-40901 addresses a vulnerability in the Linux kernel's mpt3sas SCSI driver where test/set_bit() operations could be performed on non-allocated memory. The mpt3sas driver is used for LSI Logic Fusion-MPT SAS 3.0 controllers. The vulnerability stems from improper bounds checking or memory allocation validation before performing atomic bit operations. The fix ensures that bit manipulation functions only operate on properly allocated and initialized memory regions. This type of vulnerability could potentially lead to memory corruption, system crashes, or undefined behavior if exploited. However, CISA and Siemens have assessed this CVE as 'Misinformed' regarding impact to specific Siemens product lines, suggesting the initial vulnerability report may have incorrectly identified affected products or the products are not vulnerable due to configuration or version differences.
Defensive priority
low
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for definitive product impact assessment
- Verify Linux kernel version and mpt3sas driver configuration on affected systems
- Apply kernel updates from distribution vendor if running vulnerable kernel versions
- Monitor CISA ICS advisories for any future updates to impact assessment
- Implement defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
The source CISA CSAF advisory ICSA-25-226-07 explicitly marks this CVE with threat category 'impact' and details 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The vulnerability description indicates a Linux kernel scsi: mpt3sas driver issue involving test/set_bit() operations on non-allocated memory. The advisory revision history shows the CVE was maintained through multiple updates, with the February 25, 2026 republication specifically noting it was based on Siemens ProductCERT SSA-355557 advisory. No CVSS vector or score is present in the source data.
Official resources
-
CVE-2024-40901 CVE record
CVE.org
-
CVE-2024-40901 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12