PatchSiren cyber security CVE debrief

CVE-2024-49901 Siemens CVE debrief

CVE-2024-49901 describes a vulnerability in the drm/msm/adreno kernel driver where improper initialization ordering could lead to null pointer dereferences during cleanup operations. The issue stems from msm_gpu->pdev being assigned too late in the initialization process, potentially causing crashes in msm_gpu_cleanup when the platform device pointer is accessed before proper assignment. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE X-family switches. The CISA advisory ICSA-25-226-07, published August 12, 2025 and most recently updated February 25, 2026, tracks this issue as part of a broader Siemens third-party components security advisory. The advisory's revision history indicates significant updates, including corrections to affected product lists and removal of multiple rejected CVEs in February 2026. Notably, the threat assessment categorizes the impact as 'Misinformed' for the affected products, suggesting the vulnerability may not be directly exploitable in the Siemens product context or that the risk assessment differs from the upstream kernel vulnerability. No CVSS score is currently assigned in the available sources. Organizations should consult the Siemens ProductCERT advisory SSA-355557 for specific patch availability and applicability to their deployed configurations.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE X-family industrial Ethernet switches with SINEC OS should monitor this advisory. OT security teams managing critical infrastructure networks, particularly in energy, transportation, and manufacturing sectors where these devices are commonly deployed, should prioritize vendor guidance review. Kernel maintainers and embedded Linux developers working with Qualcomm Adreno GPU drivers should also track this fix for upstream integration.

Technical summary

This vulnerability exists in the Qualcomm Adreno GPU driver (drm/msm/adreno) within the Linux kernel. The msm_gpu structure's pdev (platform device) field is assigned during a later stage of initialization than required for safe cleanup operations. If initialization fails or cleanup is triggered before pdev assignment completes, msm_gpu_cleanup may dereference a null pointer, causing kernel panic or system instability. The fix involves reordering initialization to assign msm_gpu->pdev earlier in the probe sequence. While the underlying kernel vulnerability is present, the CISA advisory categorizes impact on Siemens products as 'Misinformed,' indicating the vulnerability may not be directly exploitable in the deployed configuration or that risk assessment differs from upstream context.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific guidance and patch availability
Verify SINEC OS version and installed kernel packages on affected RUGGEDCOM and SCALANCE devices
Assess exposure of management interfaces for affected industrial switches
Apply vendor-provided firmware updates when available per organizational change control procedures
Monitor CISA ICS advisories for updates to ICSA-25-226-07

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07. Product attribution confirmed through CSAF product tree vendor field. Threat impact categorized as 'Misinformed' per advisory threats section. Revision history shows multiple updates through February 25, 2026, including product list corrections and CVE removals.

Official resources

2025-08-12