PatchSiren cyber security CVE debrief
CVE-2025-38670 Cert Portal CVE debrief
CVE-2025-38670 is a Linux kernel arm64 entry-path flaw that can leave the task stack and Shadow Call Stack out of sync if an interrupt lands during stack switching. The source advisory says this can clobber stack state and lead to kernel panics or other availability failures. In the supplied advisory metadata, Siemens maps the issue to SIMATIC CN 4100 versions prior to 5.0 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT defenders, embedded Linux maintainers, and Siemens SIMATIC CN 4100 operators on affected versions; also Linux arm64 platform owners using Shadow Call Stack, pseudo-NMI-like configurations, or other interrupt-heavy deployments.
Technical summary
According to the source advisory, cpu_switch_to() and call_on_irq_stack() change SP and the Shadow Call Stack pointer in separate steps, so an SErrors or Debug Exception can interrupt the transition and leave SP and x18 pointing at different tasks or stacks. That mismatch can cause the wrong SCS pointer to be saved or reused, clobbering task state and potentially triggering kernel panics. The fix masks DAIF during cpu_switch_to() and around the stack-switch branch in call_on_irq_stack(), and uses an assembly macro to save and mask DAIF consistently.
Defensive priority
Medium. The published CVSS is 5.5/Medium, but the main consequence is availability loss in kernel space, which can be operationally significant for OT and embedded systems.
Recommended defensive actions
- Apply the vendor remediation and update Siemens SIMATIC CN 4100 to V5.0 or later, as stated in the advisory.
- Verify whether any deployed systems use affected arm64 kernel builds or configurations that enable Shadow Call Stack or pseudo-NMI behavior.
- Prioritize patching systems where a kernel panic would have operational or safety impact, especially in OT environments.
- Monitor for unexplained kernel panics, stack corruption symptoms, or repeated reboot events on affected devices.
- Confirm firmware/software provenance before and after remediation so the fix is sourced from the official Siemens update path.
Evidence notes
The supplied CISA CSAF advisory ICSA-26-134-10 was published on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT SSA-032379 as the referenced vendor advisory. The advisory metadata assigns the issue to Siemens SIMATIC CN 4100 versions prior to 5.0 and provides the remediation to update to V5.0 or later. The vulnerability description in the source corpus attributes the underlying flaw to Linux kernel arm64 entry code involving cpu_switch_to() and call_on_irq_stack(). The product attribution is low confidence in the provided metadata, so it should be treated carefully.
Official resources
-
CVE-2025-38670 CVE record
CVE.org
-
CVE-2025-38670 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-38670 was published on 2026-05-12 and modified on 2026-05-14 in the supplied source timeline. The CISA CSAF advisory was republished on 2026-05-14 to include Siemens ProductCERT SSA-032379.