PatchSiren cyber security CVE debrief
CVE-2024-49907 Siemens CVE debrief
CVE-2024-49907 describes a missing null pointer check in the Linux kernel's AMD display driver (drm/amd/display) before using dc->clk_mgr. The vulnerability was originally published on 2025-08-12 and last modified on 2026-02-25. CISA's ICS advisory ICSA-25-226-07, which was republished on 2026-02-25 based on Siemens ProductCERT advisory SSA-355557, marks this CVE as **Misinformed** for the listed Siemens products—meaning the vulnerability does not actually affect these products as initially assessed. The affected product list was corrected in a February 2026 revision, moving entries to the Known Not Affected Products category. No CVSS score or severity is available in the source corpus.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations running Siemens RUGGEDCOM RST2428P or SCALANCE networking equipment who may have seen this CVE in early versions of ICSA-25-226-07; security teams tracking kernel vulnerabilities for AMD GPU systems should consult upstream Linux kernel security advisories for actual impact assessment
Technical summary
This CVE identifies a missing null pointer check in the drm/amd/display subsystem of the Linux kernel, specifically before dereferencing dc->clk_mgr. The vulnerability is a classic null pointer dereference (CWE-476) that could lead to kernel crashes or undefined behavior. However, CISA's advisory ICSA-25-226-07 explicitly marks this CVE as **Misinformed** for the Siemens products originally listed, indicating that the vulnerability does not actually affect these industrial networking devices. The advisory underwent multiple revisions between August 2025 and February 2026 to correct the affected product list. The underlying kernel vulnerability may still affect actual AMD GPU systems running vulnerable Linux kernel versions, but this is outside the scope of the Siemens/CISA advisory context.
Defensive priority
low
Recommended defensive actions
- Verify that affected product lists from early versions of ICSA-25-226-07 have been updated to reflect the corrected status
- Review Siemens ProductCERT advisory SSA-355557 for authoritative product impact assessment
- No patching action required for Siemens RUGGEDCOM RST2428P or SCALANCE families based on current advisory status
- Maintain standard ICS security practices per CISA recommended practices
Evidence notes
The source CSAF document explicitly categorizes the impact of CVE-2024-49907 as 'Misinformed' for the listed Siemens product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003). The revision history shows this CVE was included in initial publication but the affected product list was subsequently corrected. The vulnerability description indicates a kernel-level null pointer dereference issue in AMD display driver code, which is not applicable to the Siemens networking equipment listed.
Official resources
-
CVE-2024-49907 CVE record
CVE.org
-
CVE-2024-49907 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12