PatchSiren cyber security CVE debrief
CVE-2025-38707 Cert Portal CVE debrief
CVE-2025-38707 is described in the source advisory as a Linux kernel ntfs3 sanity-check issue where the file name length should be smaller than the directory entry size. The advisory’s CVSS vector indicates a local, low-privilege problem with no confidentiality or integrity impact and high availability impact. The source record maps the issue to Siemens SIMATIC CN 4100 versions earlier than 5.0 and recommends updating to V5.0 or later. Because the vendor/product mapping is marked low confidence in the supplied corpus, this should be validated against the affected environment before actioning fleet-wide changes.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators, maintainers, and asset owners responsible for Siemens SIMATIC CN 4100 systems listed in the advisory, especially versions earlier than 5.0. Security teams that manage embedded Linux images or filesystem handling in industrial environments should also review whether the ntfs3 fix is present.
Technical summary
The supplied source text says the Linux kernel ntfs3 code now includes a sanity check because a file name must be shorter than the directory entry size. The associated CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which corresponds to a locally reachable issue requiring low privileges and resulting in high availability impact. The corpus also references CWE-20 (Improper Input Validation). The advisory metadata ties the issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but the vendor/product mapping is explicitly low-confidence and should be treated as advisory metadata that needs validation.
Defensive priority
Medium. Prioritize remediation for any confirmed Siemens SIMATIC CN 4100 systems running versions earlier than 5.0, and for environments where local-privilege or filesystem-triggered availability issues could materially affect operations.
Recommended defensive actions
- Verify whether any Siemens SIMATIC CN 4100 devices or images in scope are running a version earlier than 5.0.
- Apply the vendor remediation to update to V5.0 or later, as listed in the supplied advisory.
- Confirm that any embedded Linux builds or firmware images include the ntfs3 filename-length sanity-check fix.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce the impact of local availability issues.
- Document and validate the affected product mapping before scheduling broad maintenance, because the supplied vendor metadata is marked low confidence.
Evidence notes
The supplied corpus identifies the issue as "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name. The length of the file name should be smaller than the directory entry size." The same corpus lists publication on 2026-05-12 and republication on 2026-05-14, and it includes a remediation to update to V5.0 or later. The CVSS vector supplied in the source item is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5 Medium). The vendor/product mapping in the corpus is marked low confidence and needs review, so the product association should be validated against authoritative vendor documentation.
Official resources
-
CVE-2025-38707 CVE record
CVE.org
-
CVE-2025-38707 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA ICS Advisory ICSA-26-134-10 on 2026-05-12, with a CISA republication on 2026-05-14 incorporating Siemens ProductCERT advisory SSA-032379. No KEV listing was supplied in the corpus.