PatchSiren cyber security CVE debrief
CVE-2025-38701 Cert Portal CVE debrief
CVE-2025-38701 describes an ext4 robustness issue in the Linux kernel where an inode can have INLINE_DATA_FL set without the expected system.data xattr, leading to a BUG_ON and potential denial of service. The fix replaces the BUG_ON behavior with error reporting so the kernel treats the situation as filesystem corruption instead of crashing. The supplied advisory context maps the issue to Siemens SIMATIC CN 4100 <5.0, but the vulnerability text itself is Linux-kernel-focused, so the product scope should be verified.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and operators responsible for affected Siemens SIMATIC CN 4100 deployments, and teams that mount or process untrusted ext4 filesystems or filesystem images.
Technical summary
According to the source advisory, a syzbot-fuzzed filesystem image exposed an ext4 bug in ext4_update_inline_data() when INLINE_DATA_FL was set but the system.data extended attribute was missing. Similar BUG_ON-to-EXT4_ERROR_INODE() changes were applied in ext4_create_inline_data() and ext4_inline_data_truncate(). The practical effect is availability impact: instead of handling the inconsistent metadata as corruption, the kernel could hit a BUG_ON and stop normally running code paths. The provided CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5/Medium).
Defensive priority
Medium. Apply the vendor fix promptly on exposed systems because the issue can produce a denial-of-service condition and the source recommends updating to V5.0 or later.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, as listed in the advisory.
- Verify whether your deployment actually matches the advisory scope before scheduling remediation, because the supplied record mixes a Siemens product label with a Linux ext4 kernel description.
- Prioritize systems that mount removable, user-supplied, or otherwise untrusted ext4 filesystem images.
- Monitor for filesystem corruption and unexpected kernel faults related to ext4 inline data handling.
- Maintain tested backups and recovery procedures so impacted systems can be restored if a corrupted filesystem is encountered.
Evidence notes
The source corpus is CISA CSAF advisory ICSA-26-134-10, republished from Siemens ProductCERT advisory SSA-032379. It was published on 2026-05-12 and republished on 2026-05-14. The advisory text states that a fuzzed image triggered BUG_ON in ext4_update_inline_data() when INLINE_DATA_FL was present without system.data, and that the fix replaces BUG_ON with EXT4_ERROR_INODE() in multiple ext4 functions. The supplied record lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and a vendor remediation of V5.0 or later. The product mapping in the supplied data should be reviewed because the description is kernel-level while the product label is Siemens SIMATIC CN 4100 <5.0.
Official resources
-
CVE-2025-38701 CVE record
CVE.org
-
CVE-2025-38701 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 with Siemens ProductCERT content. The supplied record ties the CVE to Siemens SIMATIC CN 4100 <5.0, but the vulnerability description is a Linux kernel ext4 issue,so