PatchSiren cyber security CVE debrief
CVE-2025-38702 Cert Portal CVE debrief
CVE-2025-38702 is a high-severity Linux kernel framebuffer registration bug described in a CISA CSAF advisory for Siemens SIMATIC CN 4100. The issue can lead to a buffer overflow in do_register_framebuffer() when registration bookkeeping leaves NULL gaps or when the registration loop can advance past the end of registered_fb[]. The source advisory recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators of Siemens SIMATIC CN 4100 systems, especially those running versions earlier than V5.0; also Linux/embedded maintainers responsible for framebuffer-related components in affected deployments.
Technical summary
The advisory says the vulnerable path is fbdev: do_register_framebuffer(). Under certain registration/unregistration states, registered_fb[] can contain NULL gaps while num_registered_fb remains below FB_MAX, allowing the registration loop to continue until it reaches registered_fb[FB_MAX]. The fix adds a boundary check to prevent out-of-bounds access. The source assigns CVSS v3.1 7.8 HIGH with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access and low privileges are required.
Defensive priority
High for affected Siemens SIMATIC CN 4100 deployments and any environment exposing the vulnerable kernel component to local users or privileged services. The combination of buffer overflow potential and high CVSS impact makes patching important, but the local attack vector reduces urgency for strictly isolated systems with no meaningful local access.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, as recommended in the source advisory.
- Inventory versions and confirm whether any deployed systems fall under the advisory scope of vers:intdot/<5.0.
- Prioritize patching systems that permit local logins, maintenance access, or other forms of local code execution.
- Review local access controls and reduce unnecessary privileged access on affected hosts.
- Use the official Siemens and CISA advisory links to verify remediation guidance and follow-up notices.
Evidence notes
Source item ICSA-26-134-10 (published 2026-05-12, republished 2026-05-14) states: "fbdev: fix potential buffer overflow in do_register_framebuffer()" and explains that NULL gaps in registered_fb[] and full array occupancy can let the registration loop exceed array bounds. The advisory recommends updating to V5.0 or later. The source metadata also provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Timing in this debrief uses the CVE/source publication and modification dates supplied in the corpus.
Official resources
-
CVE-2025-38702 CVE record
CVE.org
-
CVE-2025-38702 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-134-10 on 2026-05-12 and republished it on 2026-05-14 as an initial republication of Siemens ProductCERT SSA-032379.