CVE-2025-38723 Cert Portal CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running LoongArch systems that use eBPF tailcalls or JIT compilation should review this issue. Because the source metadata also maps the advisory to a Siemens SIMATIC CN 4100 product entry, Siemens-focused asset owners should validate applicability against their environment before taking action.

Technical summary

The issue is a jump-offset calculation bug in the LoongArch BPF tailcall path. According to the source, an extra pass of bpf_int_jit_compile() skips JIT context initialization, which skips offset calculation and leaves out_offset = -1. emit_bpf_tail_call then computes jmp_offset as out_offset - cur_offset, resulting in an invalid negative branch offset. The advisory says this can lead to incorrect assembly generation and a soft lockup observed during the tailcall_bpf2bpf_1 selftest. The source lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H with a score of 5.5.

Defensive priority

Medium. Prioritize remediation on any LoongArch Linux deployments that rely on eBPF tailcalls or JIT execution, and validate whether the Siemens product mapping in the advisory actually matches your asset inventory.

Recommended defensive actions

• Apply the vendor or upstream fix that corrects jump offset handling in the LoongArch BPF tailcall path.
• If you operate LoongArch Linux systems, test relevant eBPF workloads and selftests in a non-production environment after patching.
• Review whether any production systems use tailcalls or BPF JIT features that could exercise this code path.
• Monitor kernel watchdog and soft-lockup logs for symptoms during BPF-heavy workloads.
• If you manage the Siemens product named in the advisory metadata, follow the linked Siemens update guidance and confirm the advisory applies to your deployment.
• Track the CISA and Siemens advisory pages for any further revisions or clarification.

Evidence notes

The source advisory text states that the vulnerability is resolved in the Linux kernel LoongArch BPF tailcall code path, specifically because an extra pass of bpf_int_jit_compile() skips JIT context initialization and leaves out_offset = -1. It also states that the resulting negative jump offset can lead to incorrect generated assembly and that the provided self-test command reveals a watchdog soft lockup. The source metadata and advisory title reference Siemens SIMATIC CN 4100, but the vulnerability description is kernel/LoongArch-specific, so applicability should be validated carefully. The source lists CVSS 5.5 MEDIUM and was initially published on 2026-05-12, then republished on 2026-05-14.

Official resources