PatchSiren cyber security CVE debrief
CVE-2024-43871 Siemens CVE debrief
A memory leak vulnerability exists in the Linux kernel's device resource management (devres) subsystem, specifically within the devm_free_percpu() API. The flaw occurs because devm_free_percpu() incorrectly uses devres_destroy() instead of devres_release() when freeing per-CPU memory allocated via devm_alloc_percpu(). This causes the memory to not be properly released, leading to resource exhaustion over time. The vulnerability has been resolved in the Linux kernel by correcting the API implementation. Siemens has assessed this CVE as 'Misinformed' for affected industrial control system products, indicating the vulnerability does not actually impact the listed products as initially reported.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers and developers of kernel device drivers using per-CPU allocations; operators of industrial control systems using Siemens RUGGEDCOM and SCALANCE networking equipment; security teams responsible for OT/ICS infrastructure patch management; organizations running embedded Linux systems with long uptimes where memory leaks could cause availability issues
Technical summary
The vulnerability exists in the Linux kernel's device resource management (devres) subsystem. The devm_free_percpu() function, used by device drivers to free per-CPU memory allocated via devm_alloc_percpu(), incorrectly calls devres_destroy() rather than devres_release(). The devres_destroy() function removes the resource from the device's managed resource list without invoking the actual release callback, leaving the per-CPU memory allocated. In contrast, devres_release() properly executes the release callback to free the underlying memory. This implementation error causes a memory leak each time devm_free_percpu() is invoked, potentially leading to resource exhaustion and system instability over time. The fix replaces devres_destroy() with devres_release() to ensure proper memory deallocation.
Defensive priority
medium
Recommended defensive actions
- Verify Linux kernel version in use and apply vendor-provided patches if running affected kernel versions
- Review Siemens ProductCERT advisory SSA-355557 for definitive product impact assessment
- For Siemens RUGGEDCOM RST2428P and SCALANCE product families, confirm current firmware version against vendor security notifications
- Implement standard ICS security practices including network segmentation and access controls per CISA recommended practices
- Monitor for kernel memory exhaustion indicators in systems utilizing per-CPU allocations through devm_alloc_percpu()
- Contact Siemens ProductCERT for clarification if product-specific impact remains uncertain
Evidence notes
The CVE description states the vulnerability was resolved in the Linux kernel by replacing devres_destroy() with devres_release() in devm_free_percpu(). The CISA CSAF advisory ICSA-25-226-07 (published 2025-08-12, modified 2026-02-25) lists this CVE with threat category 'impact' marked as 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Siemens ProductCERT advisory SSA-355557 is the authoritative source for product impact assessment. The CVSS score of 5.5 (MEDIUM) reflects availability impact through resource exhaustion. No known exploitation in the wild or ransomware campaign use has been reported.
Official resources
-
CVE-2024-43871 CVE record
CVE.org
-
CVE-2024-43871 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12