PatchSiren cyber security CVE debrief
CVE-2024-49900 Siemens CVE debrief
This CVE addresses an uninitialized memory vulnerability in the Linux kernel's Journaled File System (JFS) implementation. The issue stems from improper initialization of the `new_ea` field within the `ea_buffer` structure used during extended attribute operations. When `ea_get()` allocates the `ea_buf` structure, the `new_ea` member was not zeroed, leading to use of uninitialized values that could propagate through `ea_put()` and eventually reach compression routines like `lzo1x_1_do_compress()`. The vulnerability was detected by syzbot using Kernel Memory Sanitizer (KMSAN), which flagged the uninitialized value usage in the compression path. The fix involves adding a `memset()` call at the beginning of `ea_get()` to ensure the `ea_buf` structure, including `new_ea`, is properly zeroed before use. This is a classic uninitialized memory bug that could potentially lead to information disclosure or undefined behavior depending on how the uninitialized data is subsequently used. The vulnerability affects the JFS extended attribute code paths (`__jfs_setxattr`, `__jfs_xattr_set`) and was resolved by ensuring proper initialization of the buffer structure.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Linux systems with JFS filesystem support enabled, particularly industrial control systems and OT environments using affected Siemens products that incorporate vulnerable kernel versions. System administrators responsible for kernel security patching and filesystem configuration should prioritize this fix.
Technical summary
The Linux kernel's JFS filesystem implementation contained an uninitialized memory vulnerability in the extended attribute handling code. The `ea_buffer` structure's `new_ea` field was not initialized when allocated in `ea_get()`, leading to use of uninitialized values that could propagate through `ea_put()` and reach compression functions. The vulnerability was detected by syzbot using KMSAN. The fix adds `memset()` initialization of the `ea_buf` structure in `ea_get()` to ensure proper zeroing before use.
Defensive priority
medium
Recommended defensive actions
- Review kernel configurations to determine if JFS filesystem support is enabled and required for operational use
- Apply vendor-provided kernel updates that include the fix for uninitialized `ea_buf->new_ea` in JFS extended attribute handling
- If JFS is not required, consider disabling JFS support via kernel module blacklist or configuration changes to reduce attack surface
- Monitor for kernel memory sanitizer (KMSAN) warnings in development and testing environments that may indicate similar uninitialized memory issues
- Validate that extended attribute operations on JFS filesystems function correctly after applying patches
Evidence notes
The vulnerability was identified through automated kernel fuzzing (syzbot with KMSAN). The fix commit initializes the `ea_buf` structure via `memset()` in `ea_get()` to prevent propagation of uninitialized `new_ea` data through `ea_put()` to downstream consumers including LZO compression routines.
Official resources
-
CVE-2024-49900 CVE record
CVE.org
-
CVE-2024-49900 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12