PatchSiren cyber security CVE debrief

CVE-2024-50001 Siemens CVE debrief

CVE-2024-50001 is a vulnerability in the Linux kernel's Mellanox mlx5 network driver affecting multi-packet WQE (Work Queue Element) transmit operations. The flaw occurs in the error handling path when DMA mapping fails due to memory pressure or IOMMU page table exhaustion. The vulnerable code erroneously unmaps an entry from the send queue's FIFO list of active DMA mappings even though no mapping was established for the current operation. This incorrect unmap removes a random, potentially still-required DMA mapping. If the PCI function subsequently presents that IOVA (I/O Virtual Address), the IOMMU may interpret it as rogue DMA access, potentially placing the PCI function in error state. The issue was observed in stress-test environments with memory pressure. Siemens has identified affected products in their industrial networking portfolio including RUGGEDCOM RST2428P and SCALANCE switch families, with vendor fixes available.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

Organizations operating Siemens industrial networking equipment with Mellanox mlx5-based network interfaces, particularly in memory-constrained or high-load environments. System administrators of Linux-based industrial control systems using mlx5 drivers. Security teams responsible for OT/ICS infrastructure availability and PCI function stability. Organizations running s390 systems with IOMMU-enabled PCI devices where rogue DMA detection triggers hardware error states.

Technical summary

The vulnerability exists in the net/mlx5 driver's multi-packet WQE transmit code path. When dma_map_single() fails due to memory pressure or IOMMU page table exhaustion, the error handling at the err_unmap label incorrectly calls dma_unmap_single() on an entry from the sq->fifo list. Since the current skb mapping failed, this unmap operation targets a previously established, unrelated DMA mapping. The sq->fifo list tracks active mappings for cleanup; removing an entry without corresponding unmap of the actual DMA mapping creates a resource leak and, more critically, invalidates a valid IOVA that may still be in use by hardware. When that IOVA is subsequently accessed, the IOMMU detects an unauthorized DMA operation. On IBM Z (s390) systems with s390_iommu, this results in the PCI function being placed in error state, requiring manual recovery. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, low privileges required, and high availability impact.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family to V3.2 or later
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult vendor guidance for specific affected configurations and apply appropriate updates
Monitor systems with Mellanox mlx5-based networking for PCI function error states, particularly under memory pressure conditions
Implement memory pressure monitoring and alerting on affected industrial control systems
Apply defense-in-depth strategies for industrial control systems per CISA guidance
Review IOMMU configuration and logging for early detection of rogue DMA access attempts

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The flaw affects the net/mlx5 driver in the Linux kernel. The issue manifests under memory pressure conditions when IOMMU page table allocation fails. On s390 systems, this can trigger PCI function error states due to IOMMU rogue access detection.

Official resources

2025-08-12