PatchSiren cyber security CVE debrief
CVE-2025-38552 Cert Portal CVE debrief
CVE-2025-38552 is described in the supplied source as a Linux kernel MPTCP race condition fix that prevents races between subflow failure and additional subflow creation. The advisory context provided by CISA maps the issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, with remediation to update to V5.0 or later. Because the source metadata and the vulnerability description do not align cleanly, this record should be treated with review caution.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers responsible for Siemens SIMATIC CN 4100 deployments, especially where the product is managed through the referenced Siemens/CISA advisory chain. Linux kernel and networking maintainers should also note the underlying MPTCP race condition described in the source text.
Technical summary
The supplied description says the Linux kernel MPTCP code had a race between subflow failure and additional subflow creation. The fix introduces a separate flag, protected by the fallback lock, to represent when socket state should prevent additional subflow creation. The socket fallback path and MP_FAIL handling set that flag, and allow_infinite_fallback is now always accessed under the relevant lock so the write-side ONCE annotation can be removed.
Defensive priority
Medium. The CVSS vector provided is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H, indicating local attack conditions with high complexity and potential availability impact. Prioritize according to exposure of affected Siemens assets and the applicability of the referenced vendor fix.
Recommended defensive actions
- Review the Siemens ProductCERT/CISA advisory chain for applicability to your installed SIMATIC CN 4100 versions.
- Update affected systems to V5.0 or later, per the supplied remediation guidance.
- Validate whether any deployed assets match the affected product/version range before maintenance.
- Apply the update using standard OT change-control and maintenance procedures.
- Track the source mismatch in your internal ticketing or asset management process so the product-to-CVE mapping is verified before broad rollout.
Evidence notes
Source metadata states publication on 2026-05-12 and modification on 2026-05-14, with CISA revision history showing initial publication and a republication from Siemens ProductCERT SSA-032379. The source advisory lists productNames including Siemens SIMATIC CN 4100 vers:intdot/<5.0, while the vulnerability description text itself is a Linux kernel MPTCP race-condition fix. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H and severity is MEDIUM.
Official resources
-
CVE-2025-38552 CVE record
CVE.org
-
CVE-2025-38552 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA CSAF on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT advisory content. The CVE is not marked as CISA KEV in the supplied data.