CVE-2025-38502 Cert Portal CVE debrief

Who should care

Operators and maintainers of Siemens SIMATIC CN 4100 systems running affected versions before V5.0, along with teams responsible for embedded Linux appliances that rely on BPF or cgroup local storage.

Technical summary

The advisory describes a runtime mismatch in BPF cgroup local storage selection during tail-call execution. Each program may verify correctly on its own, but the runtime context can carry the original program’s cgroup storage map into the callee, so a helper like bpf_get_local_storage() may use the wrong storage object. When the two programs use different value sizes, that mismatch can produce an unintended out-of-bounds access. The advisory’s remediation is to align storage ownership/selection during tail-call handling and to update affected Siemens software to V5.0 or later.

Defensive priority

Medium

Recommended defensive actions

• Update Siemens SIMATIC CN 4100 to V5.0 or later using the vendor remediation guidance.
• Inventory deployed versions to confirm whether any systems are in the affected range before 5.0.
• Review BPF program usage on affected systems, especially tail calls combined with cgroup local storage.
• Apply Linux kernel and vendor firmware updates through standard maintenance procedures.
• Track Siemens and CISA advisories for any follow-up guidance or revised remediation notes.

Evidence notes

The supplied source item is a CISA CSAF advisory republishing Siemens ProductCERT advisory SSA-032379. It was published on 2026-05-12 and modified on 2026-05-14. The advisory text ties the issue to a Linux kernel BPF cgroup local storage out-of-bounds access and recommends updating to V5.0 or later for Siemens SIMATIC CN 4100. The provided corpus marks the CVSS as 4.0 (Medium), shows no KEV entry, and includes low-confidence vendor metadata that should be treated carefully.

Official resources