PatchSiren cyber security CVE debrief
CVE-2024-50082 Siemens CVE debrief
A race condition vulnerability in the Linux kernel's block request quality-of-service (blk-rq-qos) subsystem can cause system crashes. The flaw exists in the interaction between rq_qos_wait and rq_qos_wake_function, where improper ordering of waitqueue entry access may trigger a crash condition. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC/XR/XCM/XRM/XCH/XRH families. The issue was published on August 12, 2025, with the advisory last modified on February 25, 2026, to clarify affected product configurations and remove rejected CVEs. Siemens has provided vendor fixes requiring updates to version 3.2 or later for affected products. The CVSS 3.1 score of 5.5 (Medium) reflects local attack vector, low attack complexity, and low privileges required, with high availability impact but no confidentiality or integrity impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial networking equipment in operational technology (OT) environments. System administrators responsible for maintaining availability of industrial control systems and network infrastructure. Security teams monitoring Linux kernel vulnerabilities affecting embedded industrial systems.
Technical summary
The vulnerability resides in the Linux kernel's block request quality-of-service (blk-rq-qos) implementation. A race condition between rq_qos_wait and rq_qos_wake_function can cause a system crash due to incorrect ordering of waitqueue entry access. The fix ensures proper synchronization when accessing the waitqueue entry. This is a local vulnerability requiring low privileges with no authentication, affecting availability only. The flaw impacts Siemens industrial networking equipment running SINEC OS, including RUGGEDCOM RST2428P and multiple SCALANCE product families.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to version 3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE product families
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
- Monitor Siemens ProductCERT advisory SSA-355557 for additional product-specific guidance
- Verify SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configuration against vendor documentation to confirm affected status
Evidence notes
CVE description and affected product list derived from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector confirms local attack scope with availability impact. Remediation guidance specifies version 3.2 or later as the vendor fix.
Official resources
-
CVE-2024-50082 CVE record
CVE.org
-
CVE-2024-50082 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12