PatchSiren cyber security CVE debrief
CVE-2024-49889 Siemens CVE debrief
CVE-2024-49889 is a use-after-free vulnerability in the Linux kernel's ext4 filesystem, specifically within the ext4_ext_show_leaf() function. The flaw occurs when ext4_find_extent() frees or reallocates a path structure, but a previously saved pointer to that path is still used, leading to potential memory corruption. This vulnerability is only exploitable when EXT_DEBUG is defined, meaning it does not affect standard production functionality. Siemens has identified this vulnerability as affecting multiple industrial networking products including RUGGEDCOM RST2428P and SCALANCE switch families, with patches available in version 3.2 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 family switches in industrial environments. System administrators maintaining custom Linux kernel builds with debugging enabled. Security teams responsible for industrial control system infrastructure and OT network security.
Technical summary
This vulnerability exists in the ext4 filesystem implementation of the Linux kernel. The ext4_ext_show_leaf() function may reference a freed path structure when ext4_find_extent() fails or reallocates memory. The code path involves ext4_split_extent() saving a pointer to *ppath, then calling ext4_split_extent_at() which may trigger ext4_find_extent() to free the original path. If subsequent code uses the saved pointer instead of the updated *ppath, a use-after-free occurs when accessing path[depth].p_hdr. The identical pattern exists in ext4_ext_handle_unwritten_extents(). The fix removes the local 'path' variable and uses *ppath directly in ext4_ext_show_leaf() calls. This vulnerability requires EXT_DEBUG to be defined at compile time, making it a debugging-only code path not present in standard production kernels.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to version 3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT advisory
- Verify EXT_DEBUG is not enabled in production kernel builds for any custom Linux deployments
- Review kernel build configurations to ensure debug flags are disabled in operational environments
- Monitor for anomalous filesystem operations or unexpected ext4 debug output as potential indicators of exploitation attempts
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability description indicates this is a use-after-free in ext4_ext_show_leaf() triggered only when EXT_DEBUG is defined, limiting practical exploitability. Siemens advisory ICSA-25-226-07 (revised 2026-02-25) confirms affected products and remediation paths. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with low complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability.
Official resources
-
CVE-2024-49889 CVE record
CVE.org
-
CVE-2024-49889 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12