PatchSiren cyber security CVE debrief
CVE-2024-44960 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel USB gadget core. The flaw occurs when the endpoint descriptor is not properly set before accessing the maxpacket field, leading to a kernel panic. This can be triggered if a gadget driver fails to configure the endpoint for the current USB speed or if gadget descriptors are malformed such that the descriptor for the specific speed/endpoint combination is not found. While no known gadget drivers currently exhibit this behavior, the vulnerability poses a risk during development of new USB gadgets where improper endpoint setup or malformed descriptors may occur. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM).
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices running SINEC OS. Developers creating custom USB gadget drivers for embedded Linux systems should also be aware of this hardening requirement. Industrial control system operators should monitor for vendor patches and follow CISA recommended practices for securing ICS environments.
Technical summary
The vulnerability exists in the USB gadget core of the Linux kernel. The code fails to verify that an endpoint descriptor has been set before dereferencing it to access the maxpacket field. This results in a null pointer dereference that can cause a kernel panic. The condition arises when: (1) a gadget driver does not properly configure the endpoint for the current USB speed, or (2) gadget descriptors are malformed and the descriptor lookup for the speed/endpoint combination fails. The fix adds a check for unset descriptors before accessing descriptor fields.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for affected Siemens industrial products when available
- Review USB gadget driver implementations for proper endpoint descriptor initialization
- Validate gadget descriptor configurations for all supported USB speeds during development
- Monitor CISA ICS advisories for updated product-specific guidance
- Implement defense-in-depth strategies for industrial control systems per CISA recommendations
Evidence notes
The vulnerability description indicates this is a defensive hardening fix in the Linux kernel USB gadget subsystem to prevent null pointer dereference panics. The CISA CSAF advisory ICSA-25-226-07, republished on 2026-02-25, references this CVE as affecting Siemens industrial products running SINEC OS. The threat category in the source is marked as 'Misinformed' for affected products. The source advisory underwent multiple revisions, with the most recent on 2026-02-25 clarifying affected configurations and removing rejected CVEs.
Official resources
-
CVE-2024-44960 CVE record
CVE.org
-
CVE-2024-44960 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12