PatchSiren cyber security CVE debrief
CVE-2024-46780 Siemens CVE debrief
This CVE addresses a nilfs2 filesystem vulnerability in the Linux kernel where improper mutual exclusion when accessing superblock buffers in sysfs attribute show methods could lead to pointer dereferencing and memory access issues. The vulnerability stems from missing use of nilfs->ns_sem semaphore protection during these operations. Siemens has assessed this CVE as not affecting their listed industrial control system products, including the RUGGEDCOM RST2428P and SCALANCE switch families, based on their product security advisory SSA-355557. The CISA ICS advisory ICSA-25-226-07, which republished Siemens' assessment, was initially released on August 12, 2025, and most recently updated on February 25, 2026, to reflect corrections to affected product listings and removal of rejected CVEs. No CVSS score or severity rating is available in the source corpus. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Linux-based industrial control systems or embedded devices utilizing the nilfs2 filesystem should verify their exposure. Security teams managing Siemens RUGGEDCOM and SCALANCE product lines can reference vendor guidance indicating non-affected status. OT security practitioners should remain aware of kernel-level filesystem vulnerabilities as part of comprehensive asset inventory and vulnerability management programs.
Technical summary
The nilfs2 filesystem implementation in the Linux kernel contains a vulnerability where superblock buffers accessed through sysfs attribute show methods lack proper mutual exclusion via the nilfs->ns_sem semaphore. This omission can result in unsafe pointer dereferencing and memory access operations. The vulnerability is classified as a concurrency/synchronization issue in kernel filesystem code. Siemens has determined this CVE does not affect their industrial networking products.
Defensive priority
low
Recommended defensive actions
- Verify nilfs2 filesystem is not deployed in embedded Linux environments within industrial control systems
- Review kernel version and nilfs2 module usage in any Linux-based OT devices
- Monitor vendor security advisories for affected product families if nilfs2 is in use
- Apply standard defense-in-depth practices for ICS environments per CISA guidance
Evidence notes
Source corpus indicates Siemens ProductCERT assessed this CVE as 'Misinformed' impact (not affecting their products). CISA advisory ICSA-25-226-07 republishes Siemens SSA-355557. Revision history shows multiple updates: initial publication 2025-08-12, corrections 2026-02-12 and 2026-02-24, and republication 2026-02-25. No CVSS vector or score present in source.
Official resources
-
CVE-2024-46780 CVE record
CVE.org
-
CVE-2024-46780 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12