PatchSiren cyber security CVE debrief
CVE-2025-38685 Cert Portal CVE debrief
CVE-2025-38685 is a high-severity memory corruption issue in the Linux kernel fbdev console/framebuffer mapping path. The advisory says a userspace ioctl (FBIOPUT_CON2FBMAP) can map a console to a framebuffer, but if the required console resize fails and execution continues, later screen-update logic can mix stale vc_data references with the newly mapped framebuffer state. That unsafe state can lead to an out-of-bounds write in fast_imageblit(), with the source specifically noting invalid struct references in fbcon_putcs() when the affected console is visible.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
System owners and operators responsible for the affected Siemens SIMATIC CN 4100 systems listed in the advisory, plus administrators of Linux deployments that use the fbdev/framebuffer console path. Local users with access on the affected system are relevant because the CVSS vector requires local access.
Technical summary
The vulnerable flow is in fbdev console-to-framebuffer remapping. When FBIOPUT_CON2FBMAP is used, the code attempts to resize the console to match framebuffer parameters. If vc_do_resize() fails, the code path described in the advisory continues anyway, leaving a mismatch between vc_data from the previous framebuffer and display variables pointing to the new framebuffer. That state can reach fast_imageblit() and cause an out-of-bounds write. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the advisory cites CWE-787.
Defensive priority
High. The issue is locally reachable, rated CVSS 7.8, and can produce memory corruption with high impact. Patch/upgrade should be treated as a priority for exposed or operationally important systems.
Recommended defensive actions
- Update to V5.0 or later, as listed in the vendor remediation.
- Review systems that may use the affected fbdev/framebuffer console mapping path and confirm whether the advisory applies.
- Restrict local access on systems where untrusted users can reach console/framebuffer management interfaces.
- Prioritize validation and remediation on any Siemens SIMATIC CN 4100 deployments named in the advisory.
- Track CISA/Siemens advisory updates and confirm asset inventory against the affected product/version range.
Evidence notes
The source corpus is CISA CSAF advisory ICSA-26-134-10, republished from Siemens ProductCERT advisory SSA-032379. The advisory was initially published on 2026-05-12 and republished on 2026-05-14. The vulnerability text describes a Linux kernel fbdev fast_imageblit out-of-bounds write triggered through FBIOPUT_CON2FBMAP after a failed resize, and the supplied severity is CVSS 7.8 (HIGH).
Official resources
-
CVE-2025-38685 CVE record
CVE.org
-
CVE-2025-38685 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 from Siemens ProductCERT advisory SSA-032379. The CVE record and source corpus both identify CVE-2025-38685 as a high-severity issue.