PatchSiren cyber security CVE debrief
CVE-2024-46719 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel's USB Type-C UCSI (USB Type-C Connector System Software Interface) driver. The flaw occurs in the `ucsi_register_altmode` function, which checks for error pointers using `IS_ERR` but incorrectly treats NULL as a valid return value. When `CONFIG_TYPEC_DP_ALTMODE` is not enabled, `ucsi_register_displayport` returns NULL, leading to a NULL pointer dereference in trace operations. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE switch families. The issue is rated MEDIUM severity (CVSS 5.5) with local attack vector, low attack complexity, and low privileges required, resulting in high availability impact. The vulnerability was published on August 12, 2025, and the advisory was last modified on February 25, 2026. Siemens has released updates to address this issue.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. System administrators responsible for Linux kernel configurations in industrial environments. Security teams managing OT/ICS infrastructure with USB Type-C connectivity requirements.
Technical summary
The vulnerability exists in the Linux kernel's USB Type-C UCSI driver, specifically in `ucsi_register_altmode`. The function uses `IS_ERR` to check for error conditions but fails to validate NULL pointers. When `CONFIG_TYPEC_DP_ALTMODE` is disabled, `ucsi_register_displayport` returns NULL instead of registering the DisplayPort alternate mode, causing a NULL pointer dereference during trace operations. The fix involves calling `typec_port_register_altmode` to register DisplayPort as a non-controllable mode when the configuration option is not enabled, rather than returning NULL. This is a local vulnerability requiring low privileges with no confidentiality or integrity impact, but high availability impact through potential system crashes.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE switch families
- Verify CONFIG_TYPEC_DP_ALTMODE kernel configuration on affected systems where custom kernel builds are used
- Monitor for kernel panics or crashes related to USB Type-C alternate mode registration in system logs
- Implement network segmentation for industrial control systems to limit exposure of affected devices
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
Vulnerability description and affected products confirmed through CISA ICS advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector confirms local attack vector with availability impact. Remediation guidance specifies firmware updates to V3.2 or later for affected products.
Official resources
-
CVE-2024-46719 CVE record
CVE.org
-
CVE-2024-46719 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12