PatchSiren cyber security CVE debrief
CVE-2025-38713 Cert Portal CVE debrief
CVE-2025-38713 describes a Linux kernel HFS+ bug in the hfsplus_readdir() path that can reach hfsplus_uni2asc() and trigger a slab-out-of-bounds read. The advisory text includes a KASAN report showing the fault during getdents64/readdir activity, and the issue is rated HIGH severity in the supplied CVSS vector. From a defensive standpoint, this is most relevant to systems that mount or process HFS+ filesystems, especially where local users or local filesystem access can exercise the path.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, distro security teams, embedded/system operators that mount HFS+ media, and incident responders responsible for hosts with filesystem support enabled.
Technical summary
The supplied source states that hfsplus_readdir() can call hfsplus_uni2asc() in a way that reads past the end of an allocated object, producing a slab-out-of-bounds read detected by KASAN. The trace shows the failure occurring during directory enumeration (getdents64/iterate_dir) and identifies a 2-byte read beyond the allocated region. The source CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access and nontrivial conditions, but potentially serious impact once the path is reachable.
Defensive priority
High for Linux environments that may mount HFS+ volumes or otherwise exercise the hfsplus filesystem code path; lower operational priority on hosts that never use HFS+ support.
Recommended defensive actions
- Apply the Linux kernel fix for the hfsplus_uni2asc() slab-out-of-bounds read through your vendor or distribution update channel as soon as it is available.
- Prioritize patching hosts that can mount removable media or legacy HFS+ filesystems.
- Review whether HFS+ support is needed on your systems and reduce exposure where it is not required.
- Monitor kernel and distro security advisories for backported fixes and confirm the affected code path is included in your build.
- Use general ICS/host hardening guidance from CISA for layered defense while patching is in progress.
Evidence notes
The supplied advisory text explicitly says: 'In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc().' It also includes a KASAN trace showing a slab-out-of-bounds read in hfsplus_uni2asc() during hfsplus_readdir()/getdents64. The source record was published 2026-05-12 and modified 2026-05-14. One important caveat: the structured product metadata references 'Siemens SIMATIC CN 4100 vers:intdot/<5.0,' but the vulnerability description itself is about the Linux kernel HFS+ filesystem. The vendor/product mapping is therefore low confidence and marked needs review in the supplied data.
Official resources
-
CVE-2025-38713 CVE record
CVE.org
-
CVE-2025-38713 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA's source advisory was published on 2026-05-12 and republished on 2026-05-14. The advisory narrative is about a Linux kernel HFS+ bug, while the structured product metadata names Siemens SIMATIC CN 4100; treat the product attribution as