PatchSiren cyber security CVE debrief
CVE-2025-38491 Cert Portal CVE debrief
CVE-2025-38491 is a Linux kernel MPTCP fallback handling flaw that was reported by Syzkaller and resolved by making the fallback action and fallback decision atomic. The supplied advisory data associates the CVE with a Siemens SIMATIC CN 4100 product record, but the technical description itself points to the Linux kernel networking stack, so the product mapping should be verified before scoping remediation. The issue is rated CVSS 5.5 MEDIUM with a high availability impact and no indicated confidentiality or integrity impact.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Teams operating or maintaining Siemens SIMATIC CN 4100 environments referenced by the advisory, plus Linux kernel maintainers and operators of systems that rely on MPTCP networking. This is most relevant where patching and reboot coordination are tightly controlled, such as industrial or appliance-style deployments.
Technical summary
The advisory text says the Linux kernel MPTCP code had a race between the fallback decision and the fallback action. Syzkaller triggered a kernel warning in mptcp_incoming_options, with the trace reaching __mptcp_do_fallback and related MPTCP option-processing paths. The resolution described in the source is to make the decision and action atomic, reducing the chance of inconsistent fallback state during packet processing. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
Medium. The source indicates a kernel-level availability issue with local privileges required, and the advisory carries a medium CVSS score. Prioritize if the affected Linux kernel code path is present in operationally important appliances or industrial systems, especially where downtime is costly.
Recommended defensive actions
- Verify whether the affected Siemens advisory mapping applies to your asset inventory, since the supplied corpus shows a Linux kernel root cause and a Siemens product association that needs review.
- Apply the vendor remediation listed in the advisory: update to V5.0 or later where applicable.
- Plan and test maintenance windows for kernel or appliance updates, since the source impact is primarily availability-related.
- Check whether MPTCP is enabled or used in your environment and include that in exposure assessment.
- Monitor for vendor follow-up notices or republished advisories that clarify affected versions and product scope.
Evidence notes
The supplied source is CISA ICSA-26-134-10, which republishes Siemens ProductCERT advisory SSA-032379. The description explicitly states the Linux kernel MPTCP fallback logic was changed to make fallback action and decision atomic after a Syzkaller-reported warning. The metadata also maps the CVE to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but vendor confidence is low and needs review, so that product association should not be treated as fully validated without checking the official Siemens advisory. The source does not indicate KEV listing or known ransomware use.
Official resources
-
CVE-2025-38491 CVE record
CVE.org
-
CVE-2025-38491 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published 2026-05-12 and republished/modified 2026-05-14 per the supplied timeline; the CVE issue date should be interpreted from those advisory dates, not from PatchSiren generation time.