PatchSiren cyber security CVE debrief
CVE-2025-38699 Cert Portal CVE debrief
CVE-2025-38699 is a double-free issue in the Linux kernel's scsi:bfa path. According to the advisory text, bfad_im_probe() can free bfad->im during initialization failure without clearing the pointer, and later bfad_im_probe_undo() may free it again during driver shutdown. CISA's CSAF advisory maps the issue to Siemens SIMATIC CN 4100 versions earlier than 5.0 and points to Siemens remediation to update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators responsible for Siemens SIMATIC CN 4100 deployments identified by the advisory, especially where affected versions may still be in service. Linux kernel and storage/adapter maintainers should also review the double-free fix if they rely on the same bfa driver path.
Technical summary
The vulnerability is a memory-safety bug in the bfa driver cleanup path. When bfad_im_probe() fails, bfad->im is freed but not set to NULL. If the device or driver later enters the stopping state, bfad_im_probe_undo() may attempt to free the same pointer again, causing a double-free (CWE-415). The advisory provides a CVSS v3.1 vector of AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, resulting in a 6.4 medium severity rating.
Defensive priority
Medium. The issue requires local access with high privileges and high complexity, but it can still affect system integrity and availability. Prioritize remediation on exposed or operational Siemens SIMATIC CN 4100 systems and schedule kernel/driver updates promptly.
Recommended defensive actions
- Apply Siemens' recommended update to V5.0 or later for affected SIMATIC CN 4100 systems.
- Confirm whether any deployed systems match the advisory's affected version scope before maintenance windows.
- Track the Linux kernel scsi:bfa fix in your patch management process and verify the double-free/nulling change is present.
- Limit privileged local access on impacted systems until remediation is complete.
- Use standard ICS defense-in-depth and asset inventory practices for affected environments.
Evidence notes
Source evidence comes from CISA's CSAF advisory ICSA-26-134-10 and the linked Siemens ProductCERT material. The advisory description explicitly states the bfad_im_probe()/bfad_im_probe_undo() double-free condition and the fix to set bfad->im to NULL after probe failure. The advisory metadata lists Siemens SIMATIC CN 4100 vers:intdot/<5.0 and a vendor remediation of V5.0 or later. The CVSS vector in the source is AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, and the CWE reference is CWE-415.
Official resources
-
CVE-2025-38699 CVE record
CVE.org
-
CVE-2025-38699 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the source advisory on 2026-05-12 and republished it on 2026-05-14 after incorporating Siemens ProductCERT SSA-032379 material. For timeline context, use 2026-05-12 as the CVE publication date and 2026-05-14 as the modified/ర