PatchSiren cyber security CVE debrief

CVE-2024-46818 Siemens CVE debrief

CVE-2024-46818 is a vulnerability in the Linux kernel's AMD display driver (drm/amd/display) where a gpio_id value is used as an array index without proper bounds checking. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. Siemens ProductCERT issued advisory SSA-355557 addressing third-party components in SINEC OS, which was subsequently republished by CISA as ICSA-25-226-07. The CISA advisory underwent multiple revisions, with the most significant update on February 25, 2026, republicating based on the Siemens advisory. Notably, the threat assessment in the source material categorizes the impact as 'Misinformed' for affected product IDs, suggesting potential confusion or misattribution in the vulnerability's applicability. The affected products listed include RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family, though the 'Misinformed' classification indicates these may not be genuinely vulnerable. No CVSS score or severity rating is available in the source corpus. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families) should verify actual exposure, as the advisory's 'Misinformed' classification indicates uncertainty about true affectation. Linux kernel maintainers and distributors should ensure the bounds check patch is applied to affected kernel versions. Industrial control system operators should follow CISA's defense-in-depth recommendations for ICS environments regardless of this specific vulnerability's status.

Technical summary

The vulnerability exists in the AMD display driver subsystem of the Linux kernel (drivers/gpu/drm/amd/display). The issue involves insufficient validation of gpio_id values before they are used as array indices, which could potentially lead to out-of-bounds access. The fix implements a bounds check on gpio_id prior to array indexing. This is a classic input validation weakness (CWE-20: Improper Input Validation) in kernel-mode graphics driver code. The 'Misinformed' classification in the Siemens/CISA advisory suggests the vulnerability may have been incorrectly attributed to certain products, possibly because the AMD display driver component is not actually utilized in the affected Siemens networking equipment (RUGGEDCOM, SCALANCE families), which are industrial Ethernet switches and routers that would not typically expose GPU display functionality.

Defensive priority

low

Recommended defensive actions

Verify whether affected Siemens products actually incorporate the vulnerable AMD display driver code path, as the 'Misinformed' threat classification suggests potential misattribution
Monitor Siemens ProductCERT advisory SSA-355557 for clarification on actual affected status
Apply standard ICS defense-in-depth practices per CISA guidance for industrial control systems
Review kernel update channels for Linux-based Siemens products to ensure timely patching of third-party components
Assess network segmentation for affected SCALANCE and RUGGEDCOM devices to limit potential attack surface

Evidence notes

The source CSAF document from CISA (ICSA-25-226-07) contains a threat entry with category 'impact' and details 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The revision history shows four updates, with the February 25, 2026 republication explicitly stating it was based on 'Siemens ProductCERT SSA-355557 advisory.' The description field contains only the kernel commit message 'drm/amd/display: Check gpio_id before used as array index.' No CVSS vector or score is present in the source. The KEV-related fields (kevDateAdded, kevDueDate) are null in both the CVE and enrichment objects.

Official resources

2025-08-12