PatchSiren cyber security CVE debrief
CVE-2025-38677 Cert Portal CVE debrief
CVE-2025-38677 describes an out-of-boundary access in the Linux kernel F2FS path, specifically during dnode handling in f2fs_get_dnode_of_data(). The advisory text says a corrupted image can cause a dnode to be parsed as an inode node, leading to an invalid block-address calculation and an out-of-bounds access. The fix adds a sanity check for node IDs of direct nodes during dnode lookup. The source advisory was published on 2026-05-12 and republished by CISA on 2026-05-14.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators of systems that rely on the affected Siemens advisory and teams maintaining Linux-based embedded or industrial devices with F2FS support should review this CVE. This is especially relevant where storage corruption, untrusted media, or filesystem integrity issues could be introduced into an operational device.
Technical summary
The provided source says the flaw is in f2fs_get_dnode_of_data() in the Linux kernel. When a corrupted image causes a dnode to share the same node ID as its inode, the code can misinterpret the node type. That leads to a bad address calculation for a direct node entry and an out-of-bounds page access. The stated remediation is to add sanity checking for the node ID of all direct nodes during f2fs_get_dnode_of_data(). The advisory assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5 (Medium).
Defensive priority
Moderate. The issue is locally triggered and rated Medium, but it can still matter in embedded and industrial environments where filesystem corruption or maliciously crafted media may be introduced into a device.
Recommended defensive actions
- Apply the vendor remediation listed in the source advisory: update to V5.0 or later where applicable.
- Review whether any affected devices or images use F2FS and could process corrupted or untrusted storage content.
- Prioritize patching systems that accept removable media, imported images, or other externally supplied filesystem data.
- Validate backup and recovery procedures for devices that depend on the affected storage stack.
- Monitor vendor and CISA advisory updates for scope clarifications, since the source mapping to the Siemens product is marked low confidence and needs review.
Evidence notes
Source text explicitly states: “f2fs: fix to avoid out-of-boundary access in dnode page.” It further explains that a corrupted image can cause a dnode to be treated as an inode node, producing an out-of-bounds access during f2fs_get_dnode_of_data(). The advisory source is CISA CSAF ICSA-26-134-10, republished from Siemens ProductCERT SSA-032379. The provided timing fields show publishedAt 2026-05-12 and modifiedAt 2026-05-14; those dates are used here as the CVE disclosure timeline. The source also lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5.
Official resources
-
CVE-2025-38677 CVE record
CVE.org
-
CVE-2025-38677 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published 2026-05-12 and republished by CISA on 2026-05-14 from Siemens ProductCERT advisory SSA-032379 (ICSA-26-134-10).