PatchSiren cyber security CVE debrief
CVE-2025-38697 Cert Portal CVE debrief
CVE-2025-38697 is described in the source corpus as a Linux kernel JFS bounds-check problem in dbAllocAG: the tree index is computed without an upper-bound check against the stree size, which could matter when filesystem metadata are corrupted. The same advisory metadata also maps the issue to Siemens SIMATIC CN 4100 versions earlier than 5.0, but that product mapping is low confidence and should be verified because the vulnerability description and product metadata do not cleanly align. The advisory was published on 2026-05-12 and republished by CISA on 2026-05-14. No KEV listing was provided.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and security teams responsible for Siemens SIMATIC CN 4100 deployments should verify whether their environment matches the advisory scope and apply the vendor fix if applicable. Linux storage and filesystem maintainers, especially teams handling JFS-based systems or downstream integrations, should also review the bounds-check issue for any related exposure.
Technical summary
The reported issue is an out-of-bounds tree-index calculation in dbAllocAG when the code does not enforce an upper bound relative to the size of the stree. According to the provided description, the risky condition can arise if filesystem metadata are corrupted. The supplied CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, which reflects a local, low-privilege, no-user-interaction scenario with high confidentiality, integrity, and availability impact.
Defensive priority
High, with scope verification first because the source corpus contains a product-description mismatch and the vendor mapping is low confidence.
Recommended defensive actions
- Verify whether your deployed product matches the Siemens SIMATIC CN 4100 scope in the advisory metadata, since the source description references Linux kernel JFS and the product mapping is low confidence.
- Apply the vendor remediation provided in the source corpus: update to V5.0 or later where applicable.
- Review any systems that rely on JFS or related filesystem handling for exposure to bounds-check issues in metadata processing.
- Monitor advisory updates and cross-check the official CVE record and NVD entry for any scoring or scope clarifications.
- If the affected product is in use, prioritize validation in maintenance windows and confirm version inventory before making changes.
Evidence notes
The source corpus identifies CVE-2025-38697 in CISA CSAF advisory ICSA-26-134-10, with revision history showing initial publication on 2026-05-12 and CISA republication on 2026-05-14. The corpus also includes Siemens ProductCERT references and a remediation to update to V5.0 or later. However, the vendor field is marked low confidence and the advisory metadata product mapping ('Siemens SIMATIC CN 4100 vers:intdot/<5.0') does not match the Linux kernel JFS description, so applicability should be confirmed before actioning.
Official resources
-
CVE-2025-38697 CVE record
CVE.org
-
CVE-2025-38697 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the source corpus on 2026-05-12 and republished by CISA on 2026-05-14. The provided enrichment does not mark this CVE as KEV-listed.