PatchSiren cyber security CVE debrief
CVE-2024-49966 Siemens CVE debrief
CVE-2024-49966 describes a use-after-free condition in the Linux kernel's OCFS2 (Oracle Cluster File System 2) quota subsystem. The vulnerability occurs when ocfs2_global_read_info() initializes and schedules dqi_sync_work at the end of its execution, but the work is not cancelled before freeing the oinfo structure. This can lead to memory corruption if the work item executes after the structure has been freed. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens has identified this CVE as affecting third-party components in SINEC OS, specifically the RUGGEDCOM RST2428P (6GK6242-6PA00) and other industrial networking products. However, the CISA advisory marks the impact as 'Misinformed' for the listed products, indicating potential clarification or correction in the advisory's threat assessment. The advisory underwent multiple revisions, with the most recent update on 2026-02-25 reflecting republication based on Siemens ProductCERT SSA-355557 advisory. No CVSS score or severity rating is currently available for this CVE.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
System administrators managing Siemens industrial networking equipment running SINEC OS, particularly RUGGEDCOM RST2428P and SCALANCE XC/XR/XCM/XRM/XCH/XRH series devices. Security teams in operational technology (OT) environments should monitor for kernel updates from Siemens. Organizations using OCFS2 with quota support on Linux systems should track upstream kernel patches for this vulnerability.
Technical summary
The vulnerability exists in the OCFS2 filesystem's global quota information handling. When ocfs2_global_read_info() initializes quota information, it schedules dqi_sync_work for periodic synchronization. If the oinfo structure containing this work item is freed without first cancelling the pending work, a use-after-free condition occurs. This is a classic kernel concurrency bug where delayed work execution can reference freed memory. The fix requires cancelling dqi_sync_work before freeing the oinfo structure to ensure proper synchronization. While the CISA advisory categorizes the impact as 'Misinformed' for the listed Siemens products, the underlying kernel vulnerability remains valid and could affect any system running the vulnerable OCFS2 code with quota support enabled.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for current product-specific impact assessment and patch availability
- Verify kernel version and OCFS2 quota subsystem configuration on affected Siemens devices
- Monitor CISA ICS advisory ICSA-25-226-07 for updates to threat categorization
- Apply vendor-provided firmware updates when available for RUGGEDCOM RST2428P and related SCALANCE product families
- Implement network segmentation for industrial control systems per CISA recommended practices
- Disable OCFS2 quota functionality if not required as a temporary risk reduction measure
Evidence notes
The vulnerability description indicates a kernel-level memory management issue in OCFS2 quota handling. The 'Misinformed' threat categorization in the CISA advisory suggests the initial impact assessment may have been corrected or clarified in subsequent revisions. The advisory's revision history shows active maintenance, with the February 2026 updates removing multiple rejected CVEs and clarifying affected product configurations.
Official resources
-
CVE-2024-49966 CVE record
CVE.org
-
CVE-2024-49966 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12