PatchSiren cyber security CVE debrief

CVE-2024-42152 Linux CVE debrief

CVE-2024-42152 describes a possible resource leak in the Linux kernel NVMe-oF target (nvmet) subsystem that occurs when destroying a controller during queue pair (QP) establishment. The vulnerability stems from improper cleanup handling during a race condition between controller teardown and QP setup operations. A CVSS v3.1 score of 7.1 (HIGH) indicates significant impact potential, though the specific attack vector requires local or network-adjacent access to the NVMe-oF target interface. The vulnerability was published on 2025-08-12 and subsequently modified on 2026-02-25 as part of CISA's republication of the Siemens ProductCERT advisory. Notably, CISA's advisory ICSA-25-226-07 marks this CVE as 'Misinformed' for the Siemens products listed, indicating these specific industrial control system products were incorrectly identified as affected in earlier versions of the advisory. The 2026-02-25 revision represents the latest CISA republication based on Siemens ProductCERT SSA-355557. Organizations running NVMe-oF target implementations in Linux environments should verify kernel patch levels, while those managing the specifically named Siemens industrial networking products should consult the vendor's official guidance to confirm their actual exposure status.

Vendor: Linux
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Linux-based NVMe-oF target infrastructure, industrial operators using Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 or XCM-/XRM-/XCH-/XRH-300 family devices, OT security teams tracking CISA ICS advisories, and kernel maintainers responsible for storage subsystem security patching.

Technical summary

The vulnerability exists in the Linux kernel's NVMe over Fabrics (NVMe-oF) target implementation (nvmet). During queue pair establishment, if a controller is destroyed while QP setup is in progress, cleanup operations may not properly release allocated resources, resulting in a memory or resource leak. This condition represents a race window between asynchronous controller lifecycle management and QP establishment operations. The CVSS 7.1 HIGH rating suggests meaningful availability impact potential through resource exhaustion, though exploitation requires ability to trigger controller destruction during QP establishment—typically requiring authenticated or privileged access to the NVMe-oF target. The CISA advisory's 'Misinformed' classification for specific Siemens industrial networking products indicates these devices were erroneously associated with this kernel-level vulnerability in earlier advisory versions.

Defensive priority

medium

Recommended defensive actions

Verify Linux kernel version and apply vendor-provided patches for nvmet subsystem if running NVMe-oF target services
Review CISA ICS advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557 for current product impact assessment
Confirm actual affected status of Siemens SCALANCE and RUGGEDCOM devices through vendor security advisory channels
Implement network segmentation for NVMe-oF target interfaces to limit exposure
Monitor kernel logs for anomalous nvmet controller teardown events

Evidence notes

CVE description indicates Linux kernel nvmet subsystem issue. CISA CSAF source marks threat as 'Misinformed' for listed Siemens product IDs (CSAFPID-0006, CSAFPID-0002, CSAFPID-0003). Advisory revision history shows multiple corrections: 2026-02-12 corrected affected products list, 2026-02-24 clarified SCALANCE family configuration and removed rejected CVEs, 2026-02-25 republication based on Siemens SSA-355557.

Official resources

2025-08-12