PatchSiren cyber security CVE debrief
CVE-2024-39276 Siemens CVE debrief
CVE-2024-39276 is a reference count leak vulnerability in the Linux kernel's ext4 filesystem, specifically within the `ext4_xattr_block_cache_find()` function. The issue occurs when `ext4_sb_bread()` returns `-ENOMEM` (out of memory), causing the `mb_cache_entry`'s `e_refcnt` reference count—incremented during `__entry_find()`—to not be decremented. This leads to a reference count leak that triggers a warning in `mb_cache_destroy()` during filesystem unmount. The vulnerability was discovered by Syzbot and affects kernel versions prior to the fix. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector with low attack complexity and low privileges required, resulting in high confidentiality impact. CISA published advisory ICSA-25-226-15 on August 12, 2025, with subsequent updates through February 25, 2026, to correct affected product listings and incorporate Siemens ProductCERT guidance.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
System administrators managing Siemens industrial networking equipment running SINEC OS, Linux kernel maintainers for embedded and industrial systems, security teams monitoring ICS/OT infrastructure for kernel-level vulnerabilities, and organizations using ext4 with extended attributes on memory-constrained systems
Technical summary
The vulnerability exists in `ext4_xattr_block_cache_find()` where a failure path for `ext4_sb_bread()` returning `-ENOMEM` omits a necessary `mb_cache_entry_put()` call. When `__entry_find()` increments the reference count but the subsequent bread operation fails due to memory exhaustion, the entry remains referenced. During filesystem unmount, `mb_cache_destroy()` detects non-zero reference counts and emits a warning. The fix adds the missing `mb_cache_entry_put()` call on the error branch. This is a resource leak rather than memory corruption, with impact limited to warning generation and potential resource exhaustion under repeated trigger conditions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected Siemens industrial networking products
- Monitor CISA ICS advisories for additional product-specific guidance
- Review kernel update availability for non-Siemens Linux systems running ext4 with extended attributes
- Implement memory pressure monitoring to reduce likelihood of -ENOMEM conditions triggering the vulnerable code path
- Validate filesystem unmount operations complete without warnings in system logs
Evidence notes
The vulnerability description is sourced from the Linux kernel commit message resolving the issue, as reproduced in CISA advisory ICSA-25-226-15. The Syzbot report details the warning triggered at `fs/mbcache.c:419` in `mb_cache_destroy()`. Siemens ProductCERT advisory SSA-613116 provides vendor-specific impact assessment and remediation guidance. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates local attack vector with high confidentiality impact but no integrity or availability impact.
Official resources
-
CVE-2024-39276 CVE record
CVE.org
-
CVE-2024-39276 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12