PatchSiren cyber security CVE debrief
CVE-2024-50273 Siemens CVE debrief
CVE-2024-50273 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically within the delayed reference handling code. The issue occurs in `insert_delayed_ref()` when updating an existing reference's action to `BTRFS_DROP_DELAYED_REF`. The code uses `list_del()` to remove the reference from its ref head's `ref_add_list`, but fails to reinitialize the reference's `add_list` member afterward. Since `list_del()` sets the list's `next` and `prev` pointers to `LIST_POISON1` and `LIST_POISON2` respectively, this leaves the list structure in a poisoned state. If the reference is subsequently reused or reinserted without proper reinitialization, this can lead to memory corruption, crashes, or potentially exploitable conditions. The vulnerability was published on August 12, 2025, and modified on February 25, 2026. Siemens has identified this CVE as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE X-family switches, though the CISA advisory marks the impact assessment as 'Misinformed' for the affected product configurations. No CVSS score or severity rating is currently available.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. System administrators managing Linux systems with Btrfs filesystems, particularly in industrial control system environments. Security teams responsible for OT/ICS infrastructure patch management.
Technical summary
The vulnerability exists in the Btrfs filesystem's delayed reference mechanism. When `insert_delayed_ref()` updates a reference action to `BTRFS_DROP_DELAYED_REF`, it removes the reference from `ref_add_list` using `list_del()`. The Linux kernel's `list_del()` implementation sets the `next` and `prev` pointers to `LIST_POISON1` and `LIST_POISON2` as a debugging aid to detect use-after-free conditions. However, the Btrfs code fails to reinitialize these poisoned pointers before potential reuse. This can cause kernel crashes or memory corruption if the reference structure is accessed again. The bug represents a failure to maintain proper list invariant state after deletion.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific impact and patch information
- Verify Btrfs filesystem usage on affected Siemens devices running SINEC OS
- Apply kernel updates from Siemens when available for affected RUGGEDCOM and SCALANCE products
- Monitor CISA ICS advisories for updates to impact assessment
- Implement network segmentation for industrial control systems per CISA recommended practices
- Review system logs for Btrfs-related errors or unexpected filesystem behavior on potentially affected devices
Evidence notes
The vulnerability description is derived from the CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The technical details describe a Btrfs kernel bug where `list_del()` poisons list pointers without subsequent reinitialization. The 'Misinformed' impact categorization for affected products is taken directly from the source advisory's threat statements. No CVSS vector or score is present in the source material.
Official resources
-
CVE-2024-50273 CVE record
CVE.org
-
CVE-2024-50273 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12