PatchSiren cyber security CVE debrief

CVE-2024-49938 Siemens CVE debrief

CVE-2024-49938 is a vulnerability in the Linux kernel's ath9k_htc WiFi driver, specifically affecting the handling of socket buffer (SKB) length operations during USB host interface operations. The issue stems from improper initialization of SKB length fields in error paths, where skb_trim() performs sanity checks on potentially uninitialized length values. The vulnerability was resolved by replacing skb_trim() calls with __skb_set_length(skb, 0) in both ath9k_hif_usb_reg_in_cb() and ath9k_hif_usb_rx_cb() functions, which safely resets the buffer length without triggering uninitialized value checks. Siemens has identified this CVE as affecting their RUGGEDCOM RST2428P and SCALANCE networking product families running SINEC OS, which incorporate the vulnerable Linux kernel components. The CISA advisory ICSA-25-226-07, published August 12, 2025, tracks this vulnerability as part of Siemens' third-party component security assessment. No CVSS score has been assigned in the available sources. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices with WiFi capabilities, particularly those deployed in industrial environments where SINEC OS manages network infrastructure. Security teams responsible for industrial control system patch management and kernel-level vulnerability remediation should prioritize this advisory.

Technical summary

The vulnerability exists in the ath9k_htc driver's USB host interface callback functions where skb_trim() was used to reset socket buffer lengths before URB resubmission. The skb_trim() function performs sanity checks that can trigger on uninitialized length values in certain error paths. The resolution replaces skb_trim() with __skb_set_length(skb, 0), which directly sets the length without validation checks. This change also eliminates a redundant skb_reset_tail_pointer() call since __skb_set_length() internally performs this operation. The affected code paths are in USB register input callback (ath9k_hif_usb_reg_in_cb) and USB receive callback (ath9k_hif_usb_rx_cb) functions.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for specific product patch availability and version guidance
Verify SINEC OS and underlying Linux kernel versions on affected Siemens RUGGEDCOM and SCALANCE devices
Apply vendor-provided firmware updates when available per Siemens maintenance schedules
Monitor CISA ICS advisories for additional guidance on industrial control system defensive measures
Implement network segmentation for industrial WiFi deployments to limit potential attack surface
Follow CISA recommended practices for ICS defense in depth strategies

Evidence notes

The vulnerability description indicates this was discovered through Syzbot kernel fuzzing and subsequently patched in the Linux kernel. The fix involves two specific callback functions in the ath9k_htc USB host interface: ath9k_hif_usb_reg_in_cb() and ath9k_hif_usb_rx_cb(). Siemens' ProductCERT advisory SSA-355557 provides the authoritative product impact assessment for industrial networking equipment. CISA's advisory underwent multiple revisions between initial publication and February 2026, including corrections to affected product lists and removal of rejected CVEs from related advisories.

Official resources

2025-08-12