PatchSiren cyber security CVE debrief
CVE-2025-38680 Cert Portal CVE debrief
CVE-2025-38680 describes a 1-byte out-of-bounds read in the Linux kernel’s uvcvideo path. The advisory explains that uvc_parse_format() could read buffer[3] after only checking for a 3-byte minimum, so inputs with exactly 3 bytes could trigger an out-of-bounds read. The cited fix is to require at least 4 bytes before parsing. In the supplied CISA CSAF source, this issue is republished in the context of Siemens SIMATIC CN 4100 versions earlier than 5.0. The source item also marks the vendor/product mapping as low-confidence and needing review, so defenders should treat the Linux-kernel flaw as authoritative while verifying the affected Siemens product mapping against the vendor advisory and installed device inventory.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 deployments listed as affected in the advisory, especially teams responsible for embedded Linux components, USB/video handling, and device lifecycle patching. Security staff tracking government ICS advisories should also review the mapping because the source item flags the vendor/product attribution as low confidence and needing review.
Technical summary
The supplied advisory says the precondition check before uvc_parse_format() only ensured the buffer had at least 3 bytes, but the function accesses buffer[3], which requires 4 bytes. That mismatch creates a 1-byte out-of-bounds read when the buffer length is exactly 3. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local issue with high availability impact and no listed confidentiality or integrity impact.
Defensive priority
Medium—prioritize validation and patching if you operate affected Siemens SIMATIC CN 4100 devices; otherwise track it as a lower-priority embedded Linux memory-safety issue with local exposure.
Recommended defensive actions
- Confirm whether any deployed Siemens SIMATIC CN 4100 systems match the advisory scope of versions earlier than 5.0.
- Apply the vendor remediation to update to V5.0 or later, as listed in the source advisory.
- Verify the Siemens ProductCERT advisory and internal asset inventory because the source item marks the product attribution as low confidence and needing review.
- Use the CISA ICS advisory and Siemens advisory references to map affected assets before scheduling maintenance.
- Monitor affected devices for abnormal behavior during USB/video subsystem activity, consistent with an availability-impacting local memory-safety flaw.
Evidence notes
Source evidence states: (1) the buffer length check before uvc_parse_format() only guaranteed 3 bytes (buflen > 2), while the function accesses buffer[3]; (2) the fix is to require at least 4 bytes; (3) the CISA CSAF republication date is 2026-05-14, with the initial publication on 2026-05-12; and (4) the source item lists Siemens SIMATIC CN 4100 vers:intdot/<5.0 as the affected product, but also flags the vendor/product attribution as low confidence and needing review. The CVSS vector provided in the source is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2025-38680 CVE record
CVE.org
-
CVE-2025-38680 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory disclosed through CISA CSAF on 2026-05-12 and republished by CISA on 2026-05-14; no CISA KEV listing is provided in the supplied corpus.