PatchSiren cyber security CVE debrief
CVE-2024-49902 Siemens CVE debrief
CVE-2024-49902 describes a vulnerability in the jfs filesystem component related to the Qualcomm MSM GPU driver. The issue involves assigning msm_gpu->pdev earlier in the initialization process to prevent null pointer dereferences in msm_gpu_cleanup. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. Siemens has identified this CVE as affecting their RUGGEDCOM RST2428P (6GK6242-6PA00) product, though the source advisory marks the impact assessment as 'Misinformed' for the affected product IDs. The CVE appears to originate from the Linux kernel's jfs filesystem and MSM GPU driver interaction, where improper initialization ordering could lead to null pointer dereference conditions during cleanup operations. No CVSS score or severity rating is currently available in the source data. Organizations should consult the Siemens ProductCERT advisory for specific patch availability and applicability to their deployed systems.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P (6GK6242-6PA00) industrial networking equipment, industrial control system operators using SINEC OS with third-party Linux kernel components, and security teams responsible for OT/ICS infrastructure patch management.
Technical summary
The vulnerability exists in the jfs filesystem component's interaction with the Qualcomm MSM GPU driver. The root cause is improper initialization ordering where msm_gpu->pdev is not assigned early enough in the initialization process, potentially leading to null pointer dereferences during msm_gpu_cleanup operations. The fix involves assigning msm_gpu->pdev earlier in the initialization sequence to ensure proper cleanup handling.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product impact assessment and patch availability
- Verify kernel version and jfs/MSM GPU driver configuration on affected Siemens RUGGEDCOM RST2428P deployments
- Apply vendor-provided firmware updates when available per Siemens guidance
- Monitor CISA ICS advisories for additional guidance on industrial control system protections
Evidence notes
Source CISA CSAF advisory ICSA-25-226-07 indicates this CVE was included in Siemens Third-Party Components in SINEC OS advisory. The threat category is marked as 'Misinformed' for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The advisory underwent four revisions, with the most recent on 2026-02-25 clarifying affected configurations and removing rejected CVEs.
Official resources
-
CVE-2024-49902 CVE record
CVE.org
-
CVE-2024-49902 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12