PatchSiren cyber security CVE debrief
CVE-2025-38724 Cert Portal CVE debrief
CVE-2025-38724 describes a Linux kernel nfsd bug in nfsd4_setclientid_confirm() where get_client_locked() failure was not handled correctly. According to the advisory text, a SETCLIENTID_CONFIRM race with a confirmed client expiring could fail to obtain a reference and later lead to a use-after-free. The documented fix is to take a reference earlier when a confirmed client exists and to treat reference acquisition failure as if no confirmed client were found; if the unconfirmed client is expiring, the call should fail and return the get_client_locked() result. CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 with Siemens ProductCERT material.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of systems that include the affected Linux kernel NFS server path, especially organizations relying on Siemens SIMATIC CN 4100 per the advisory. ICS defenders, embedded Linux teams, and administrators who expose NFS services should confirm whether their builds include the vulnerable code path and whether vendor guidance applies.
Technical summary
The issue is a missing return-value check in nfsd4_setclientid_confirm(). A race condition can occur when a confirmed NFS client is expiring while SETCLIENTID_CONFIRM runs. If get_client_locked() does not return a valid reference and that failure is ignored, later use of the client object can become a use-after-free. The remediation described in the source is to acquire a reference early for an extant confirmed client and to handle failure paths explicitly so the code does not proceed with an invalid object.
Defensive priority
High for confirmed or suspected affected deployments; otherwise medium until applicability is verified. The advisory’s CVSS 3.1 vector is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Recommended defensive actions
- Update to V5.0 or later as directed by the Siemens advisory.
- Verify whether the affected device or image actually contains the vulnerable Linux kernel NFS server code path.
- If immediate patching is not possible, reduce exposure of NFS services to trusted management networks only.
- Monitor vendor and CISA guidance for any additional mitigations or scope clarifications.
- Document affected assets and prioritize them for maintenance windows because the issue can lead to a kernel use-after-free.
Evidence notes
Source corpus ties this CVE to a Linux kernel nfsd use-after-free scenario and also includes Siemens/CISA ICS advisory metadata for Siemens SIMATIC CN 4100 vers:intdot/<5.0. That product mapping is marked low-confidence in the supplied data, so applicability should be validated against the vendor advisory and the actual firmware/software build. The CVSS vector in the source is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the supplied advisory timestamps are 2026-05-12 (publication) and 2026-05-14 (modified/republication).
Official resources
-
CVE-2025-38724 CVE record
CVE.org
-
CVE-2025-38724 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF advisory on 2026-05-12 and republished with Siemens ProductCERT material on 2026-05-14. No KEV listing is present in the supplied data.