PatchSiren cyber security CVE debrief
CVE-2025-38727 Cert Portal CVE debrief
CVE-2025-38727 is an availability issue in Linux kernel netlink handling that can leave netlink_unicast() retrying indefinitely when socket memory accounting lands exactly on the receive-buffer limit. The advisory published through CISA maps the issue to Siemens SIMATIC CN 4100 versions before 5.0 and notes that the condition can manifest as an RCU stall. Siemens’ listed remediation is to update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Security and operations teams responsible for Siemens SIMATIC CN 4100 deployments, Linux kernel-based OT/ICS systems, and administrators who manage hosts where local users or services can exercise netlink paths. Treat this as particularly important on availability-sensitive systems.
Technical summary
The source advisory says netlink_attachskb() checks socket receive-memory constraints using comparisons that miss the equality case where skb->truesize + sk->sk_rmem_alloc equals sk->sk_rcvbuf. In that state, the function neither accepts the packet nor successfully reschedules the task, so netlink_unicast() can loop indefinitely. The supplied evidence links the behavior to an RCU sched stall, and the source CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5). The advisory states the bug was found by the Linux Verification Center and that the fix restores the original check behavior.
Defensive priority
Medium, with elevated priority for availability-critical OT/ICS assets.
Recommended defensive actions
- Apply Siemens’ remediation and update affected systems to V5.0 or later as directed in the advisory.
- Inventory assets that match Siemens SIMATIC CN 4100 versions before 5.0 and confirm exposure to the advisory.
- Monitor for signs of CPU starvation, RCU stall messages, and repeated netlink-related retry behavior on affected hosts.
- Restrict local access and minimize unnecessary privileged or service accounts on systems that can exercise the affected kernel path.
- Validate vendor maintenance windows and test updates in a controlled environment before broad deployment.
Evidence notes
The source advisory is ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14 with Siemens ProductCERT SSA-032379. The supplied description states that the bug is in Linux kernel netlink_attachskb()/netlink_unicast(), that an equality case in receive-memory accounting can cause an indefinite retry loop, and that the observed effect is an RCU sched stall. The source remediation is to update to V5.0 or later. The advisory’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which corresponds to 5.5 Medium and availability impact only.
Official resources
-
CVE-2025-38727 CVE record
CVE.org
-
CVE-2025-38727 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use 2026-05-12 as the CVE publication date for timeline context. The source advisory was updated/republished on 2026-05-14, but that is not the original CVE issue date.