PatchSiren cyber security CVE debrief
CVE-2024-43894 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel's Direct Rendering Manager (DRM) client subsystem. Specifically, in the `drm_client_modeset_probe()` function, a failure of `drm_mode_duplicate()` can return NULL, which was not properly checked before subsequent dereference. The vulnerability was remediated by adding an explicit NULL check. The issue affects Siemens industrial networking products running SINEC OS, which incorporate the vulnerable Linux kernel component. CISA published advisory ICSA-25-226-07 on August 12, 2025, with subsequent revisions through February 25, 2026, to clarify affected product configurations and remove rejected CVE entries. Siemens ProductCERT issued security advisory SSA-355557 to address third-party component vulnerabilities in their SINEC OS platform. The vulnerability is classified with impact category 'Misinformed' in the CSAF source data. No CVSS score is available in the provided source corpus.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those deploying RUGGEDCOM RST2428P switches or SCALANCE X-family managed switches with SINEC OS. OT security teams, ICS asset owners, and critical infrastructure operators should prioritize vendor patch availability and implement defense-in-depth controls per CISA guidance.
Technical summary
The vulnerability exists in the Linux kernel's DRM (Direct Rendering Manager) client implementation. The function `drm_client_modeset_probe()` calls `drm_mode_duplicate()`, which can fail and return NULL. The original code did not validate this return value before dereferencing, leading to a null pointer dereference condition. The remediation adds an explicit NULL check after the `drm_mode_duplicate()` call. This is a classic missing validation vulnerability (CWE-20: Improper Input Validation) in kernel-mode code. The vulnerability affects Siemens industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) that incorporate the vulnerable Linux kernel through SINEC OS. The CSAF source categorizes the threat impact as 'Misinformed', suggesting potential information disclosure or integrity concerns rather than direct code execution.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific guidance and patch availability
- Apply vendor-provided firmware updates for affected SINEC OS-based products when available
- Implement network segmentation for industrial control systems per CISA ICS recommended practices
- Monitor CISA ICS advisories for updates to ICSA-25-226-07
Evidence notes
Source corpus indicates this vulnerability originates from the Linux kernel DRM subsystem (drm/client), specifically a null pointer dereference in drm_client_modeset_probe() when drm_mode_duplicate() fails. The fix involved adding a NULL check. Siemens ProductCERT SSA-355557 and CISA ICSA-25-226-07 document this as affecting third-party components in SINEC OS. The CSAF source marks impact as 'Misinformed' for products CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Revision history shows advisory updates on 2026-02-12 (corrected affected products), 2026-02-24 (clarified SCALANCE family configurations, removed rejected CVEs), and 2026-02-25 (CISA republication based on Siemens advisory).
Official resources
-
CVE-2024-43894 CVE record
CVE.org
-
CVE-2024-43894 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12