PatchSiren cyber security CVE debrief
CVE-2024-41070 Siemens CVE debrief
CVE-2024-41070 describes a use-after-free (UAF) vulnerability in the KVM (Kernel-based Virtual Machine) subsystem for PowerPC (PPC) architecture, specifically within the Book3S HV (Hypervisor) mode in the function kvm_spapr_tce_attach_iommu_group(). This vulnerability exists in the Linux kernel's handling of IOMMU group attachments for SPAPR (Scalable Power Architecture Platform Reference) TCE (Translation Control Entry) tables. The UAF condition could potentially allow a privileged attacker to corrupt memory or escalate privileges within a virtualized environment on affected PowerPC systems. The vulnerability was originally published in the Linux kernel security context and subsequently incorporated into Siemens ProductCERT advisory SSA-355557 as part of a broader third-party component security assessment for SINEC OS and related industrial networking products. CISA republished this advisory as ICSA-25-226-07 on August 12, 2025, with subsequent revisions through February 25, 2026, to clarify affected product configurations and remove rejected CVE entries. Notably, the threat assessment in the source advisory categorizes the impact for specific Siemens product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003) as 'Misinformed,' suggesting that initial impact assessments may have been incorrect or that the vulnerability's applicability to these specific configurations was misunderstood. The advisory revision history indicates significant changes to the affected products list, with entries moved to 'Known Not Affected Products' in the February 12, 2026 update, and further clarifications to the SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configuration scope on February 24, 2026. Organizations running KVM virtualization on PowerPC architectures, particularly in industrial control system environments using Siemens networking equipment with SINEC OS, should verify their specific product configurations against the latest advisory guidance to determine actual exposure.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running KVM virtualization on IBM Power Systems or other PowerPC hardware, particularly those in industrial environments using Siemens SCALANCE or RUGGEDCOM networking equipment with SINEC OS. System administrators responsible for PowerPC-based virtualized infrastructure. Security teams managing multi-tenant or untrusted guest workloads on PowerPC KVM hosts. Industrial control system operators relying on Siemens networking products where third-party Linux kernel components may introduce virtualization-layer risks.
Technical summary
Use-after-free vulnerability in Linux kernel KVM subsystem for PowerPC Book3S HV mode. Affects kvm_spapr_tce_attach_iommu_group() function handling IOMMU group attachments for SPAPR TCE tables. Originally a kernel-level virtualization vulnerability, incorporated into Siemens third-party component security assessment for industrial networking products. Advisory impact assessment marked as 'Misinformed' for specific product configurations, with revision history showing corrections to affected products list. No CVSS score available in source data. Not in CISA KEV.
Defensive priority
medium
Recommended defensive actions
- Verify whether your organization operates KVM virtualization on PowerPC (PPC) architecture, specifically systems utilizing Book3S HV mode with SPAPR TCE IOMMU group attachments
- For Siemens industrial networking products running SINEC OS, consult the latest revision of Siemens ProductCERT advisory SSA-355557 to confirm whether your specific product configuration is affected, given the advisory's
- Apply kernel security updates from your Linux distribution vendor that address CVE-2024-41070, prioritizing systems running untrusted or multi-tenant virtualized workloads on PowerPC hardware
- Review virtualization isolation boundaries on affected PowerPC KVM hosts to ensure compromised guests cannot leverage this UAF for host-level privilege escalation
- Monitor CISA ICS advisories and Siemens ProductCERT notifications for any future clarifications to the 'Misinformed' impact assessment or additional affected product configurations
Evidence notes
CVE description sourced from CISA CSAF advisory ICSA-25-226-07. Vendor attribution to Siemens confirmed through csaf_product_tree_vendor field with high confidence. Threat impact assessment of 'Misinformed' documented for product IDs CSAFPID-0006, CSAFPID-0002, CSAFPID-0003. Advisory revision history shows four versions: initial publication (2025-08-12), correction of affected products list (2026-02-12), clarification of SCALANCE family configuration and removal of rejected CVEs (2026-02-24), and CISA republication based on Siemens SSA-355557 (2026-02-25). No CVSS score or severity provided in source corpus. Not listed in CISA KEV catalog.
Official resources
-
CVE-2024-41070 CVE record
CVE.org
-
CVE-2024-41070 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12