PatchSiren cyber security CVE debrief
CVE-2024-57256 Cert Portal CVE debrief
CVE-2024-57256 describes an integer overflow in Das U-Boot’s ext4fs_read_symlink path when processing a crafted ext4 filesystem. According to the advisory, an inode size of 0xffffffff can cause a zalloc size calculation to wrap, resulting in a zero-byte allocation and a memory overwrite. Siemens lists affected RUGGEDCOM ROX devices and provides a fix in V2.17.1 or later.
- Vendor
- Cert Portal
- Product
- Siemens RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE RUGGEDCOM ROX RX1400 RUGGEDCOM ROX RX1500 RUGGEDCOM ROX RX1501 RUGGEDCOM ROX RX1510 RUGGEDCOM ROX RX1511 RUGGEDCOM ROX RX1512 RUGGEDCOM ROX RX1524 RUGGEDCOM ROX RX1536 RUGGEDCOM ROX RX5000
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens RUGGEDCOM ROX devices, especially MX5000 and the RX-series models listed in the advisory, should review this immediately. Security teams responsible for embedded Linux boot components or field-updatable industrial devices should also assess exposure.
Technical summary
The issue is an integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1. The advisory states that a crafted ext4 filesystem with an inode size of 0xffffffff can overflow the allocation calculation used for zalloc, so the resulting allocation may be zero and subsequent writes can overwrite memory. The CVSS vector provided by the source is CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating physical access and high attack complexity.
Defensive priority
High. The vulnerability is rated CVSS 7.1 and affects industrial equipment boot/media handling code, so remediation should be prioritized for any deployed or maintenance-path-accessible affected device. Because the source vector indicates physical access and high complexity, focus first on systems where removable media or local maintenance workflows are realistic.
Recommended defensive actions
- Update affected Siemens RUGGEDCOM ROX products to V2.17.1 or later, per the vendor remediation.
- Verify which ROX models and firmware builds are in use against the advisory’s affected-product list.
- Restrict and monitor physical access, removable media use, and maintenance workflows around affected devices until patched.
- Use Siemens and CISA advisory references to confirm whether any device-specific compensating controls are recommended.
- Track the upstream U-Boot fix context for embedded components that may inherit the same code path.
- Document patch status and exception handling for any devices that cannot be updated immediately.
Evidence notes
Based only on the cited Siemens ProductCERT advisory republished by CISA (ICSA-26-134-16) and the associated CVE record. The source description states: an integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc when adding one to an le32 variable via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. CISA’s source metadata shows publication on 2026-05-12 and republication on 2026-05-14, and the source remediation is V2.17.1 or later.
Official resources
-
CVE-2024-57256 CVE record
CVE.org
-
CVE-2024-57256 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the Siemens ProductCERT advisory and republished by CISA as ICSA-26-134-16 on 2026-05-12, with a CISA republication update on 2026-05-14. This debrief uses the CVE’s published date, not the generation time, as the CVE-