PatchSiren cyber security CVE debrief
CVE-2025-38687 Cert Portal CVE debrief
CVE-2025-38687 is a race condition in the Linux kernel comedi driver that can lead to a use-after-free when a device is detached while poll requests are still queued. The supplied advisory context maps the issue to Siemens SIMATIC CN 4100 versions before 5.0, and the source description says the fix is to keep the device attach lock held while checking for sleepers and detaching.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux and embedded/ICS defenders who manage systems using the comedi driver, plus operators following the Siemens advisory guidance for SIMATIC CN 4100.
Technical summary
The source description says comedi could remove an allocated async area even though poll requests were still active on a wait_queue_head inside that memory. If poll entries were later triggered or removed, the freed memory could be touched again, causing a use-after-free. The fix write-locks dev->attach_lock in the COMEDI_DEVCONFIG path before checking whether subdevice wait queues still have sleepers, and it keeps the lock held through detach after refactoring comedi_device_detach() into comedi_device_detach_locked().
Defensive priority
Medium
Recommended defensive actions
- Identify whether affected kernels or comedi-enabled systems are in use in your environment.
- Apply the vendor or kernel fix; for Siemens-mapped systems, follow the advisory remediation to update to V5.0 or later.
- Restrict access to local device configuration and other privileged paths to trusted administrators only.
- Watch for crashes, hangs, or abnormal behavior around polling and device detachment.
- Track the CISA and Siemens advisory pages for any follow-up updates or clarifications.
Evidence notes
The supplied CVE timeline lists publication on 2026-05-12 and modification on 2026-05-14; the CISA CSAF source item shows the same dates, with a republication note on 2026-05-14. The source text describes a syzbot-reported use-after-free in comedi caused by detaching the device while poll waiters remained active on a wait_queue_head. The CVSS vector provided is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a local, low-privilege availability-impact issue. The source metadata also maps the advisory to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but the vulnerability description itself is explicitly about the Linux kernel comedi driver, so that product mapping should be treated cautiously.
Official resources
-
CVE-2025-38687 CVE record
CVE.org
-
CVE-2025-38687 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use the supplied timeline dates for context: published 2026-05-12 and modified 2026-05-14. CISA republished Siemens ProductCERT advisory SSA-032379 on 2026-05-14, and the advisory text says the comedi race was resolved by locking and detach