PatchSiren cyber security CVE debrief
CVE-2025-38729 Cert Portal CVE debrief
CVE-2025-38729 describes a Linux kernel ALSA usb-audio parsing flaw where UAC3 power domain descriptors were not validated against their variable bLength. The stated risk is unexpected out-of-bounds access triggered by malicious firmware. CISA republishes the issue in ICSA-26-134-10 alongside Siemens ProductCERT advisory SSA-032379, and the vendor remediation is to update to V5.0 or later for the affected Siemens SIMATIC CN 4100 product entry in the advisory metadata.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS teams and device owners responsible for Siemens SIMATIC CN 4100 deployments referenced by ICSA-26-134-10, plus security teams maintaining Linux kernel-based embedded images that include ALSA usb-audio handling.
Technical summary
The advisory text says UAC3 power domain descriptors need validation of the variable bLength field to prevent unexpected out-of-bounds accesses from malicious firmware. The CVSS vector provided is local, low-privilege, no-user-interaction, with high confidentiality and availability impact. The source metadata ties the issue to Siemens SIMATIC CN 4100 in a CISA-republished Siemens advisory, but the vulnerability description itself is explicitly Linux kernel ALSA usb-audio.
Defensive priority
High. Prioritize patching or upgrading any affected deployment that matches the advisory metadata, especially where firmware trust boundaries are weak or device firmware can be influenced by untrusted sources.
Recommended defensive actions
- Apply the vendor remediation: update to V5.0 or later for the affected Siemens product entry.
- Verify whether your deployment matches the advisory’s affected product/version scope before scheduling maintenance.
- Treat firmware and USB audio descriptor inputs as untrusted and ensure only trusted firmware sources are used.
- Track downstream Linux kernel or OEM package updates that include the descriptor-validation fix.
- Use standard ICS defense-in-depth controls to limit exposure while patching is planned.
Evidence notes
Source item ICSA-26-134-10 (CISA CSAF) lists CVE-2025-38729, includes revision history dated 2026-05-12 and 2026-05-14, and provides remediation to update to V5.0 or later. The CVE description in the supplied corpus is: validation of UAC3 power domain descriptors is needed to prevent out-of-bounds access by malicious firmware. The advisory metadata also lists product names Siemens / SIMATIC CN 4100 / vers:intdot/<5.0, so the vendor-product mapping should be treated cautiously and reviewed against the Linux-kernel wording in the description.
Official resources
-
CVE-2025-38729 CVE record
CVE.org
-
CVE-2025-38729 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied source corpus on 2026-05-12 via CISA CSAF, with CISA republication/revision on 2026-05-14. No KEV entry was provided.