CVE-2025-38698 Cert Portal CVE debrief

Who should care

Operators and maintainers of Siemens SIMATIC CN 4100 deployments, especially versions earlier than 5.0, should review this advisory. Security and platform teams should also validate whether any Linux kernel/JFS-related component is actually in scope, because the supplied product mapping and vulnerability description do not fully align.

Technical summary

The advisory describes a file-corruption handling issue: a reproducer creates a corrupted file on disk with a negative i_size value, and the fix is to check for that condition when opening the file to prevent subsequent operation failures. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local, low-privilege, high-complexity issue with high impact if the affected condition is present.

Defensive priority

High, but verify applicability first due to the source/product mismatch.

Recommended defensive actions

• Confirm whether any Siemens SIMATIC CN 4100 assets are running a version earlier than 5.0.
• Review Siemens advisory SSA-032379 and the CISA ICS advisory ICSA-26-134-10 for vendor guidance.
• Apply the vendor fix by updating to V5.0 or later where the advisory applies.
• If you operate Linux kernel/JFS-based systems, cross-check patch status against the public CVE record because the supplied description references JFS corruption handling.
• Schedule remediation in a maintenance window and validate normal file-handling behavior after the update.

Evidence notes

Evidence is limited to the supplied CISA CSAF advisory record and the Siemens references it lists. The corpus states the publication date as 2026-05-12 and the CISA republication date as 2026-05-14. The advisory text references a negative i_size corruption check, while the product mapping names Siemens SIMATIC CN 4100 vers:intdot/<5.0; this inconsistency is why the vendor confidence is low and human review is warranted.

Official resources