PatchSiren cyber security CVE debrief
CVE-2025-38322 Cert Portal CVE debrief
CVE-2025-38322 describes a Linux kernel regression in perf/x86/intel that can trigger a crash or hard lockup when topdown/perf metrics code runs on Intel Raptor Lake E-core CPUs that do not support the perf metrics feature. The supplied advisory says the bug came from a mistaken use of is_topdown_event() instead of is_topdown_count(), and it was fixed by correcting when icl_update_topdown_event() is invoked. The issue was publicly disclosed in the supplied CISA CSAF on 2026-05-12 and republished on 2026-05-14.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, distro and appliance vendors, and operators of Intel Raptor Lake systems that expose perf/perf_event functionality should review this issue. It is most relevant where local users or diagnostics can trigger perf reads on affected kernels, especially on systems using E-core CPUs.
Technical summary
The advisory text says perf_fuzzer found a hard-lockup crash on a Raptor Lake machine, with a call trace reaching icl_update_topdown_event() and native_read_pmc(). The root cause is described as a regression from commit f9bdf1f95339, where is_topdown_event() was used in place of is_topdown_count() to decide whether the perf metrics topdown path should run. On CPUs 16-23 in the reported system, the E-core CPUs do not support perf metrics, so invoking that path there can cause a general protection fault or crash.
Defensive priority
Medium. The CVSS score in the supplied source is 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), which indicates a local, availability-focused issue. Prioritize remediation on affected Intel Raptor Lake deployments and any Linux build that includes the vulnerable perf/x86/intel logic.
Recommended defensive actions
- Apply the vendor-provided fix or update to a kernel/software build that contains the icl_update_topdown_event() correction.
- Verify whether your deployed kernel includes the regression associated with commit f9bdf1f95339 and update if it does.
- Review local access to performance-monitoring interfaces and limit use to trusted administrators where operationally feasible.
- Monitor affected systems for kernel oops, hard-lockup, or unexpected perf-related crashes, especially on Raptor Lake E-core systems.
- Validate product attribution against the vendor advisory before relying on the supplied Siemens product metadata, as the advisory body describes a Linux kernel issue.
Evidence notes
The supplied CISA CSAF source (ICSA-26-134-10 / CVE-2025-38322) describes a Linux kernel perf/x86/intel crash, not an exploitation chain or weaponized payload. It explicitly states that E-core CPUs in the reported Raptor Lake system do not support perf metrics and that icl_update_topdown_event() should not run there. The same source identifies the regression source as commit f9bdf1f95339 and the logic error as substituting is_topdown_event() for is_topdown_count(). The source metadata also names Siemens SIMATIC CN 4100 vers:intdot/<5.0, which does not match the Linux kernel description and should be treated as needing manual review.
Official resources
-
CVE-2025-38322 CVE record
CVE.org
-
CVE-2025-38322 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF on 2026-05-12 and republished on 2026-05-14. No KEV date is provided in the supplied enrichment, and no ransomware campaign use is indicated.