CVE-2025-38681 Cert Portal CVE debrief

Who should care

Linux kernel maintainers, OT/ICS administrators, and platform teams responsible for systems that expose kernel page-table debug interfaces or include the affected ptdump paths. Treat the Siemens SIMATIC CN 4100 product mapping as needing verification.

Technical summary

The source advisory describes a race between kernel page-table dumping and concurrent memory hotplug teardown. Leaf-entry changes can produce stale output, but freeing intermediate page-table levels creates a use-after-free risk inside the ptdump traversal. The fix moves the memory hotplug lock into the generic ptdump path so both kernel_page_tables and check_wx_pages use consistent synchronization. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H (6.5, Medium).

Defensive priority

Medium

Recommended defensive actions

• Apply the vendor-fixed release identified in the source advisory: update to V5.0 or later.
• Verify whether your environment actually uses the affected Siemens mapping or the underlying Linux kernel ptdump code, since the source record’s product association is low-confidence.
• Prioritize systems where local users can access kernel debugfs or page-table inspection interfaces.
• Review kernel update cadence for OT/ICS appliances and Linux-based embedded devices that inherit the affected kernel code.
• Confirm the fix by checking the linked Siemens ProductCERT and CISA advisory records for the final affected-version matrix.

Evidence notes

The supplied CISA CSAF source (ICSA-26-134-10) was published on 2026-05-12 and republished on 2026-05-14. Its description explains the race in mm/ptdump and the synchronization change that moves the memory hotplug lock into the generic ptdump path. The source record also maps the CVE to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but that mapping is marked low-confidence in the prompt and should be verified against the linked vendor advisory. No KEV entry is provided in the supplied enrichment.

Official resources