PatchSiren cyber security CVE debrief
CVE-2025-23143 Cert Portal CVE debrief
CVE-2025-23143 is a Linux kernel availability issue tied to CIFS socket teardown and lockdep lock-class handling. Under the conditions described in the advisory, the CIFS module can be unloaded while a TCP socket is still alive in FIN_WAIT_1, and later socket activity can cause lockdep to access module-owned lock-class metadata that no longer exists. The result is a warning followed by a NULL pointer dereference, creating a kernel denial-of-service risk. The public advisory maps the issue to Siemens SIMATIC CN 4100 versions before 5.0, but the underlying technical description is kernel-focused and should be validated against the actual shipped software stack.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, distro and firmware teams that ship CIFS support, and operators of Siemens SIMATIC CN 4100 systems or other deployments that rely on the affected kernel socket-locking path.
Technical summary
The advisory describes a lifetime mismatch: CIFS calls sock_release() on an underlying TCP socket, but if incoming FIN packets are dropped the socket can remain alive in FIN_WAIT_1 even after the module refcount reaches zero and rmmod succeeds. With LOCKDEP enabled, the socket uses a custom lock class assigned via sock_lock_init_class_and_name(). If later packet processing or a timer acquires sk->sk_lock after the module has been unloaded, lockdep reaches hlock_class() and cannot resolve the module-backed lock class, which leads first to a warning and then to a NULL pointer dereference. The described fix is to hold the module reference while such sockets remain alive and release it only when the socket is freed in sk_prot_free().
Defensive priority
Medium
Recommended defensive actions
- Apply Siemens' published remediation and update affected SIMATIC CN 4100 systems to version 5.0 or later, per the advisory.
- Verify that your Linux kernel build includes the fix that keeps a module reference for sockets created through sock_lock_init_class_and_name() until socket free time.
- Prioritize patching systems that use CIFS or similar socket paths with LOCKDEP enabled, especially where modules may be unloaded while connections are still closing.
- Validate the actual device/software inventory against the vendor advisory, since the source metadata and the vulnerability description should be cross-checked before scoping exposure.
- Watch for lockdep warnings or crashes involving hlock_class, __lock_acquire, tcp_v4_rcv, or recent CIFS unload activity as indicators of exposure.
Evidence notes
The primary evidence comes from the CISA CSAF advisory ICSA-26-134-10 and the referenced Siemens ProductCERT advisory. The source text states that sock_release() can return while the TCP socket remains alive in FIN_WAIT_1, allowing rmmod to unload the module before the socket is freed. It also states that lockdep later consults a module-owned lock class via sock_lock_init_class_and_name(), and once the module is gone, hlock_class() warns and returns NULL, leading to a NULL pointer dereference. The advisory's proposed mitigation is to retain the module reference until sk_prot_free(). The source corpus also shows a product/version mapping for Siemens SIMATIC CN 4100 vers:intdot/<5.0, so asset matching should be validated carefully.
Official resources
-
CVE-2025-23143 CVE record
CVE.org
-
CVE-2025-23143 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-134-10 on 2026-05-12, with a CISA republication of the Siemens ProductCERT advisory on 2026-05-14.