PatchSiren cyber security CVE debrief
CVE-2024-49924 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's pxafb framebuffer driver, affecting Siemens industrial networking products. The flaw occurs in the pxafb_probe function where &fbi->task is associated with pxafb_task. The pxafb_blank function within the &pxafb_ops struct can schedule work that may execute after the framebuffer structure has been freed during module removal, leading to a use-after-free condition. This vulnerability requires local access with low privileges and can result in high availability impact through system crashes or instability. The issue was published on August 12, 2025, and affects RUGGEDCOM RST2428P and SCALANCE XC/XR/XCM/XRM/XCH/XRH product families running SINEC OS. Siemens has released firmware updates to address this vulnerability.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial networking devices with SINEC OS. System administrators responsible for OT/ICS infrastructure security and patch management. Security teams monitoring Linux kernel vulnerabilities in embedded industrial systems.
Technical summary
The pxafb driver in the Linux kernel contains a use-after-free vulnerability in pxafb_task(). During probe, pxafb_init_fbinfo() associates &fbi->task with pxafb_task. The pxafb_blank function can schedule work that may execute after unregister_framebuffer() frees fbi->fb via put_fb_info() during module removal (pxafb_remove). This race condition allows access to freed memory, potentially causing denial of service. The vulnerability is rated CVSS 3.1 5.5 (MEDIUM) with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and available updates
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
- Restrict local access to affected devices to authorized personnel only
- Monitor for anomalous system behavior or unexpected module loading/unloading activities
- Review and apply Siemens security advisories for SINEC OS third-party component updates
- resourceLinkAnnotations:ref-4,ref-5,ref-6,ref-8
Evidence notes
Vulnerability description derived from CISA ICS advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. The use-after-free condition is triggered during module removal when scheduled work references freed framebuffer memory. CVSS 3.1 vector confirms local attack vector with low attack complexity and low privileges required.
Official resources
-
CVE-2024-49924 CVE record
CVE.org
-
CVE-2024-49924 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public