PatchSiren cyber security CVE debrief
CVE-2024-47660 Siemens CVE debrief
A race condition in the Linux kernel's fsnotify subsystem can cause soft lockups on systems with directories containing many dentries. The vulnerability stems from contention on inode->i_lock when __fsnotify_update_child_dentry_flags() calls race between fsnotify_recalc_mask() and __fsnotify_parent(). Siemens has identified affected industrial networking products running SINEC OS that incorporate the vulnerable kernel code. The issue is resolved by clearing PARENT_WATCHED flags lazily rather than immediately when a parent stops watching children.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial networking devices in critical infrastructure environments. System administrators managing Linux-based industrial systems with directory monitoring capabilities. Security teams responsible for availability of industrial control systems where soft lockups could disrupt operations.
Technical summary
The Linux kernel's fsnotify mechanism uses PARENT_WATCHED flags on child dentries to optimize parent notification checks. When a directory watch is removed, fsnotify_recalc_mask() calls __fsnotify_update_child_dentry_flags() to clear these flags across all children. On directories with many (often negative) dentries, this operation holds inode->i_lock for extended periods. Concurrent __fsnotify_parent() calls on children attempting to update flags create lock contention that can trigger soft lockups. The fix implements lazy clearing: flags are set immediately when watching begins, but cleared only when children are subsequently accessed after watching stops, eliminating the bulk flag-clearing operation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT advisory SSA-355557
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration guidance
- Implement network segmentation for industrial control systems to limit local access to affected devices
- Monitor for system unresponsiveness or soft lockup indicators on affected devices as potential exploitation signs
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
The vulnerability description indicates this is a Linux kernel fsnotify issue resolved by clearing PARENT_WATCHED flags lazily. The source advisory (ICSA-25-226-07) from CISA identifies Siemens industrial networking products as affected, with vendor fixes available. CVSS 5.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low complexity, low privileges required, and high availability impact.
Official resources
-
CVE-2024-47660 CVE record
CVE.org
-
CVE-2024-47660 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12