PatchSiren cyber security CVE debrief
CVE-2025-38721 Cert Portal CVE debrief
CVE-2025-38721 describes an availability issue in Linux kernel netfilter conntrack table dumping logic. Under a narrow condition, ctnetlink_dump_table() can take an extra reference on a conntrack object and never release it, which can prevent cleanup from completing and leave netns dismantle or conntrack removal waiting indefinitely. The supplied advisory corpus maps this issue to Siemens SIMATIC CN 4100 versions earlier than 5.0, but that vendor mapping is marked low-confidence and should be verified against the affected deployment.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 systems listed in the advisory, especially anyone running Linux-based network or OT appliances that use conntrack/netfilter. Kernel and platform teams should care because the issue can stall cleanup paths and affect service availability, even though it is not a remote code execution flaw.
Technical summary
The reported flaw is a reference-count leak in ctnetlink_dump_table(). If the dump path encounters the rare case where ct equals last, the code path can increment the conntrack object reference count a second time without undoing it. That leaves the conntrack object pinned, keeps cnet->count from returning to zero, and can block nf_conntrack_cleanup_net_list() during network namespace teardown or conntrack module unload. The supplied CVSS vector indicates local access with low privileges is required and the impact is availability-only (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Defensive priority
Medium. The issue is local and availability-only, but it can cause a persistent cleanup hang in affected systems and may disrupt appliance lifecycle operations or maintenance tasks.
Recommended defensive actions
- Apply the vendor remediation identified in the supplied advisory: update to version 5.0 or later.
- Verify whether your deployed Siemens SIMATIC CN 4100 build actually includes the affected Linux kernel path; the supplied source metadata marks the product mapping as low confidence and needs review.
- Track the CISA/Siemens advisory references for any follow-up fixes, especially for related dump-table paths.
- If you operate Linux-based appliances that rely on conntrack/netfilter, prioritize the kernel fix in maintenance windows because the failure mode can block teardown and module removal.
- Use standard ICS hardening and defense-in-depth practices from the linked CISA guidance to reduce operational impact if cleanup paths hang.
Evidence notes
The supplied source corpus states there is a reference-count leak in ctnetlink_dump_table() and that, in a rare case, an extra nf_conntrack_get() can be left unmatched, preventing conntrack release and blocking nf_conntrack_cleanup_net_list(). The source also says this can be reproduced by looping conntrack_resize.sh selftests, but this debrief does not provide reproduction steps. The advisory metadata includes CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5 MEDIUM). Publication timing in the supplied timeline is 2026-05-12, with a CISA republication update on 2026-05-14. The source metadata marks the Siemens product mapping as low confidence and needs review.
Official resources
-
CVE-2025-38721 CVE record
CVE.org
-
CVE-2025-38721 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE published on 2026-05-12 and modified on 2026-05-14 per the supplied timeline. The advisory corpus indicates a later CISA republication of Siemens ProductCERT material on 2026-05-14; PatchSiren publication time should not be treated as a