PatchSiren cyber security CVE debrief

CVE-2024-50051 Siemens CVE debrief

This CVE describes a use-after-free (UAF) vulnerability in the Linux kernel's SPI driver for the Freescale/NXP MPC52xx platform. The issue occurs in the `mpc52xx_spi_remove` function when a kernel module is unloaded: the driver's private data structure (`ms`) is freed via `spi_unregister_controller`, but a pending work item (`ms->work`) may still be scheduled for execution, leading to memory corruption and potential system instability or privilege escalation. The vulnerability is classified as MEDIUM severity with a CVSS 3.1 score of 5.5, reflecting local attack vector, low attack complexity, and high availability impact. Siemens has identified affected products in its industrial networking portfolio, including RUGGEDCOM RST2428P and SCALANCE switch families running SINEC OS. The vendor has released updates to address this issue, with specific version guidance provided per product line.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial Ethernet switches; OT security teams managing SINEC OS deployments; Linux kernel maintainers for embedded/powerpc platforms; industrial control system administrators responsible for patch management in critical infrastructure environments

Technical summary

The vulnerability exists in the `spi-mpc52xx.c` Linux kernel driver used by Siemens SINEC OS in certain industrial networking products. The race condition occurs during module removal: `mpc52xx_spi_remove()` calls `spi_unregister_controller()`, which frees the driver-private `mpc52xx_spi` structure (`ms`), but if `ms->work` was previously queued via the workqueue mechanism, the pending work item may execute after the memory has been freed. The fix adds `cancel_work_sync(&ms->work)` before the unregister call to ensure all pending work completes before structure deallocation. This is a classic teardown race condition in Linux kernel driver code. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with high availability impact, consistent with kernel memory corruption leading to system crash or instability.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates to affected Siemens RUGGEDCOM and SCALANCE products per product-specific guidance in Siemens ProductCERT advisory SSA-355557
For RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family, update to SINEC OS V3.2 or later
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration and patch guidance
Implement network segmentation for industrial control systems to limit local access vectors
Follow CISA ICS recommended practices for defense-in-depth strategies
Monitor Siemens ProductCERT and CISA ICS advisories for additional updates or clarifications

Evidence notes

The vulnerability description is derived from the Linux kernel commit message and CISA CSAF advisory ICSA-25-226-07. The affected product list and remediation guidance are sourced from Siemens ProductCERT advisory SSA-355557 as republished by CISA. CVSS scoring details are provided in the CSAF document. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the source publication date.

Official resources

CVE-2024-50051 was published on 2025-08-12 and last modified on 2026-02-25. The vulnerability was disclosed through coordinated disclosure involving CISA and Siemens ProductCERT, with the advisory ICSA-25-226-07 serving as the primary US-CO