PatchSiren cyber security CVE debrief
CVE-2024-44965 Siemens CVE debrief
CVE-2024-44965 is a Linux kernel vulnerability in the x86/mm subsystem affecting Page Table Isolation (PTI) cloning functionality. The flaw exists in pti_clone_pgtable(), which incorrectly assumes that start addresses are PMD (Page Middle Directory) aligned—a condition true on x86_64 but not on i386 architectures. This alignment assumption can cause the end condition to malfunction, resulting in a 'short' clone of the page table. When user mappings contain incomplete copies of entry text, this leads to endless trap loops until entry stack exhaustion, followed by a double fault (#DF) from the stack guard. The vulnerability was reported by Guenter on i386-nosmp builds using GCC-11. The fix involves using the correct increment form for address calculations to eliminate alignment assumptions.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens industrial control products with embedded Linux kernels, particularly those on 32-bit x86 (i386) architectures. System administrators of industrial control systems (ICS/OT) environments where kernel stability is critical for operational technology availability. Security teams responsible for patch management in OT networks using affected Siemens product families including RUGGEDCOM and SCALANCE devices.
Technical summary
The vulnerability resides in pti_clone_pgtable() in the Linux kernel's x86/mm subsystem. The function incorrectly assumes that start addresses passed to it are PMD-aligned, which holds for x86_64 but fails on i386 where page table structures differ. This assumption causes the cloning loop's termination condition to evaluate incorrectly, producing incomplete page table copies. When entry text mappings are truncated, the CPU encounters invalid page table entries during privilege transitions, generating endless page faults. These recursive traps exhaust the entry stack, triggering a stack guard violation and subsequent double fault (#DF), resulting in system crash. The fix corrects address increment logic to remove alignment dependencies.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for affected product configurations and patch availability
- Verify Linux kernel version and apply vendor-provided security updates for affected Siemens industrial control products
- For systems running i386-nosmp builds, prioritize kernel updates due to the crash-inducing nature of this vulnerability
- Monitor CISA ICS advisories for additional guidance on industrial control system protections
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability description is sourced from the CISA CSAF advisory ICSA-25-226-07, which republishes Siemens ProductCERT advisory SSA-355557. The technical details describe a kernel memory management flaw specific to 32-bit x86 (i386) builds where PTI page table cloning fails due to incorrect alignment assumptions. The source indicates this vulnerability has been resolved in the Linux kernel. The advisory was initially published on 2025-08-12 and most recently updated on 2026-02-25 based on Siemens ProductCERT SSA-355557.
Official resources
-
CVE-2024-44965 CVE record
CVE.org
-
CVE-2024-44965 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12