PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-38691 Cert Portal CVE debrief

CVE-2025-38691 is a medium-severity availability issue described in the advisory text as a Linux kernel pNFS block/scsi layout bug. The published source says the problem can occur during repeated attempts to encode extents, where a retry path reallocates a larger buffer but initializes the page array only after the retry loop. The same source also notes that oversized layoutcommit buffers may exceed the maximum RPC size accepted by the server. The advisory was first published on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT advisory SSA-032379 referenced in the revision history. The vendor/product metadata in the source names Siemens SIMATIC CN 4100 vers:intdot/<5.0 and recommends updating to V5.0 or later, but the descriptive text is about a Linux kernel pNFS code path; that product mapping should be verified before prioritizing remediation.

Vendor
Cert Portal
Product
Siemens SIMATIC CN 4100 vers:intdot/<5.0
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-14
Advisory published
2026-05-12
Advisory updated
2026-05-14

Who should care

Asset owners and operators who rely on the Siemens SIMATIC CN 4100 advisory scope, especially teams responsible for patching, OT/ICS maintenance, and any environments that depend on pNFS layout commit behavior or the referenced Linux kernel code path. Security teams should also review inventory because the source contains a vendor/product-to-description mismatch that requires validation.

Technical summary

The source description says ext_tree_prepare_commit() can retry encoding extents after reallocating a larger buffer, but ext_tree_free_commitdata() is called on each iteration and may dereference uninitialized pointers in the layoutupdate_pages array. It also says there is no cap on the maximum buffer size, so a client may build a layoutcommit larger than the maximum RPC size a server accepts. The advisory assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5, Medium), which points to local conditions with high availability impact. The remediation field in the source says to update to V5.0 or later.

Defensive priority

Medium priority. Treat as a scheduled remediation item, but raise priority if the affected Siemens product is present in production OT/ICS environments or if the Linux kernel pNFS path is used operationally.

Recommended defensive actions

  • Verify whether Siemens SIMATIC CN 4100 vers:intdot/<5.0 is present in your environment and confirm whether the advisory scope matches your deployed assets.
  • If affected, apply the vendor remediation and update to V5.0 or later as specified in the source advisory.
  • Review any systems that rely on pNFS block/scsi layout handling for availability-sensitive workloads, especially where repeated layout commit retries are possible.
  • Use asset and configuration inventory to resolve the source mismatch between the Siemens product metadata and the Linux kernel description before planning remediation.
  • Monitor for abnormal availability events around layout commit operations until the affected version is confirmed absent or patched.

Evidence notes

The source advisory is CISA CSAF ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14. It lists product metadata for Siemens SIMATIC CN 4100 vers:intdot/<5.0 and a remediation of V5.0 or later, while the narrative description discusses a Linux kernel pNFS block/scsi layout uninitialized pointer dereference and an oversized layoutcommit concern. That inconsistency is material and should be validated against the Siemens advisory and the CVE record before drawing scope conclusions. The published CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H with a score of 5.5.

Official resources

Publicly disclosed by CISA in advisory ICSA-26-134-10 on 2026-05-12, then republished on 2026-05-14 with Siemens ProductCERT advisory SSA-032379 included in the revision history.