PatchSiren cyber security CVE debrief
CVE-2024-50199 Siemens CVE debrief
CVE-2024-50199 is a Linux kernel memory management vulnerability affecting the swapfile subsystem. The issue occurs when HugeTLB (Huge Translation Lookaside Buffer) pages are not properly skipped during the unuse_vma operation, leading to a bad pud (Page Upper Directory) error and potential loss of 1GB HugeTLB pages when swapoff is called. This vulnerability has been identified in Siemens industrial networking products running SINEC OS, specifically affecting RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and XCM-/XRM-/XCH-/XRH-300 family devices. The vulnerability requires local access with low privileges to exploit, and while it does not impact confidentiality or integrity, it can cause high availability impact through denial of service conditions. Siemens has released firmware updates to address this issue, with V3.2 or later versions containing the necessary fixes.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P industrial switches or SCALANCE XC/XR/XCM/XRM/XCH/XRH series managed switches in industrial control system environments. System administrators responsible for Linux-based embedded systems using HugeTLB pages and swap configurations. OT security teams monitoring for kernel-level vulnerabilities in industrial networking infrastructure. Organizations subject to NERC CIP or other critical infrastructure cybersecurity frameworks requiring timely vulnerability remediation.
Technical summary
The vulnerability exists in the Linux kernel's mm/swapfile.c where HugeTLB pages are not properly excluded from unuse_vma processing. When swapoff is invoked, the kernel attempts to unmap swap entries for virtual memory areas, but fails to handle HugeTLB pages correctly, resulting in pud corruption and 1GB HugeTLB page loss. The CVSS 3.1 score of 5.5 (MEDIUM) reflects AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. The vulnerability is classified under CWE-20 (Improper Input Validation). Siemens has addressed this through firmware updates in SINEC OS V3.2, which incorporates the upstream Linux kernel fix that adds proper HugeTLB page skipping in the unuse_vma path.
Defensive priority
medium
Recommended defensive actions
- Apply vendor firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration guidance and update paths
- Implement network segmentation for industrial control systems to limit local access vectors
- Monitor for anomalous swapoff operations or HugeTLB allocation failures as potential indicators of exploitation attempts
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Establish change control procedures for swap configuration modifications on affected systems
Evidence notes
CVE published 2025-08-12; modified 2026-02-25. Source advisory ICSA-25-226-07 published same date. Siemens ProductCERT SSA-355557 provides vendor remediation guidance. CVSS 3.1 vector confirms local attack vector with low attack complexity and high availability impact.
Official resources
-
CVE-2024-50199 CVE record
CVE.org
-
CVE-2024-50199 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12