PatchSiren cyber security CVE debrief

CVE-2024-56558 Siemens CVE debrief

CVE-2024-56558 is a use-after-free vulnerability in the Linux kernel's NFS server (nfsd) subsystem. The flaw exists in the `e_show` function, which is called with RCU (Read-Copy-Update) protection. While RCU ensures that the `exp` (export) structure will not be freed during execution, it does not prevent the reference count from dropping to zero. When `exp_get` is subsequently called, this triggers a refcount use-after-free warning. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens has identified this CVE as affecting third-party components in SINEC OS, specifically the RUGGEDCOM RST2428P (6GK6242-6PA00) and other industrial networking products. However, the threat assessment in the source advisory categorizes the impact as 'Misinformed' for the affected product IDs, suggesting the actual risk to these specific Siemens products may be lower than initially assessed or that the vulnerability context differs from standard exploitation scenarios. No CVSS score or severity rating is currently available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no indication of known ransomware campaign use.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE families) running SINEC OS; system administrators managing Linux-based NFS servers in industrial environments; security teams responsible for OT/ICS infrastructure; and vulnerability management programs tracking third-party component vulnerabilities in embedded industrial systems.

Technical summary

The vulnerability resides in the Linux kernel's NFS server implementation. The `e_show` function, used for displaying export information, operates under RCU read-side critical section protection. RCU guarantees that the `exp` structure remains valid (not freed) during execution, but does not synchronize against reference count decrements from other contexts. Consequently, the reference count can reach zero before `exp_get` attempts to increment it, triggering a use-after-free detection mechanism (refcount warning). This is a classic RCU-reference count interaction bug where the two synchronization mechanisms are not properly coordinated. The fix would typically involve ensuring the export is active (reference count elevated) before proceeding with operations that depend on it.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific impact assessment and patch availability
Verify whether affected Siemens industrial networking products (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) are deployed in your environment
Apply kernel updates or vendor-provided patches when available, prioritizing systems with active NFS server functionality
Monitor NFS server logs for refcount warnings that may indicate exploitation attempts
Implement network segmentation to limit exposure of industrial control systems with NFS services
Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The technical details describe a refcount use-after-free condition in nfsd's `e_show` function under RCU protection. The 'Misinformed' threat categorization for affected products suggests the advisory may have been updated to reflect corrected impact assessment. The advisory revision history shows multiple updates, with the most recent on 2026-02-25 republishing based on Siemens ProductCERT guidance.

Official resources

2025-08-12