PatchSiren cyber security CVE debrief
CVE-2025-38695 Cert Portal CVE debrief
CVE-2025-38695 is a Linux kernel null pointer dereference in the scsi: lpfc cleanup path. The advisory says a failed lpfc_sli4_read_rev() call can lead to cleanup running before sli4_hba.hdwqs are allocated, and the code may then try to access the first hardware queue's lock through a null hdwq pointer. The published fix is a null check with an early return.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators, integrators, and maintenance teams responsible for the Siemens SIMATIC CN 4100 systems named in the advisory, especially any deployment running a version before V5.0. Security and operations teams should also review whether the affected Linux lpfc path exists in their broader embedded or industrial Linux estate.
Technical summary
The vulnerability is in the Linux kernel lpfc driver cleanup logic. If lpfc_sli4_read_rev() fails during lpfc_sli4_hba_setup(), the cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may execute before hardware queues are allocated. That creates a path where taking abts_io_buf_list_lock for the first queue can dereference phba->sli4_hba.hdwq while it is still null. The remediation is to check phba->sli4_hba.hdwq and return early when initialization has already failed.
Defensive priority
High priority for affected deployments: the advisory rates the issue HIGH and assigns high impact to confidentiality, integrity, and availability in the provided CVSS vector, with vendor remediation directing upgrades to V5.0 or later.
Recommended defensive actions
- Verify whether your Siemens SIMATIC CN 4100 deployment is in scope of the advisory and whether it is running a version earlier than V5.0.
- Apply the vendor remediation and upgrade to V5.0 or later as directed by Siemens.
- Use a maintenance window and validate the update in your operational environment before broad rollout.
- Review CISA and Siemens advisory updates for any revisions to affected versions or remediation guidance.
- Follow CISA industrial control system defensive guidance and defense-in-depth practices while remediation is planned.
Evidence notes
The source advisory text explicitly states that a failure in lpfc_sli4_read_rev() during lpfc_sli4_hba_setup() can leave sli4_hba.hdwqs unallocated, and that cleanup may then dereference a null hdwq pointer when taking abts_io_buf_list_lock. The source also provides the CVSS vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, references CWE-476, and records a Siemens remediation to update to V5.0 or later. CISA lists the advisory publication date as 2026-05-12 and a republication on 2026-05-14.
Official resources
-
CVE-2025-38695 CVE record
CVE.org
-
CVE-2025-38695 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT advisory material; this debrief reflects the supplied source corpus and timing fields.