PatchSiren cyber security CVE debrief
CVE-2025-38732 Cert Portal CVE debrief
CVE-2025-38732 describes a Linux kernel netfilter flaw in nf_reject handling for loopback packets. The bug can leak a dst refcount when skb dst entries are replaced, which may lead to resource exhaustion and denial-of-service conditions. The source advisory says the fix is to check whether the skb already has a route attached, rather than relying only on the hook.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Kernel and platform teams, network/security administrators, and anyone operating systems that include the affected Linux netfilter code path. If you are relying on the Siemens/CISA advisory for asset scope, verify applicability carefully because the source metadata is inconsistent and marked low confidence.
Technical summary
The advisory text says recent WARN() instrumentation exposed an old bug in nf_reject_fill_skb_dst. Loopback packets can already have a dst_entry at PRE_ROUTING, but the earlier logic did not account for that and could replace the skb dst incorrectly, leaking a destination reference count. The described fix changes the condition to test whether the skb already has a route attached. The supplied CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H (5.8, Medium).
Defensive priority
Medium. Patch promptly if your environment includes the affected kernel code path, especially where netfilter/nftables reject handling is used. The issue is not presented as remotely weaponized in the source corpus, but it can still create stability and availability risk.
Recommended defensive actions
- Confirm whether your Linux kernel build includes the affected nf_reject code path and whether loopback traffic can reach it.
- Apply the vendor or upstream fix that accounts for existing routes on loopback packets.
- If you are following the Siemens advisory, use the vendor remediation guidance and update to V5.0 or later only after confirming the product mapping applies to your environment.
- Monitor kernel logs for warnings mentioning skb_dst_check_unset, skb_dst_set, or nf_reject_fill_skb_dst.
- Treat affected systems as higher priority if they rely on nft_reject_inet or similar netfilter reject handling.
Evidence notes
The primary evidence is the CISA CSAF source item for ICSA-26-134-10 and its Siemens ProductCERT references. The advisory description explicitly states the issue is a Linux kernel netfilter refcount leak affecting loopback packets. The source metadata also maps the CVE to 'Siemens SIMATIC CN 4100 vers:intdot/<5.0' with low confidence and needs review, so product applicability should not be assumed without validation. Published date used here is 2026-05-12; the source was revised on 2026-05-14.
Official resources
-
CVE-2025-38732 CVE record
CVE.org
-
CVE-2025-38732 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use 2026-05-12 as the CVE/source publication date and 2026-05-14 as the source revision date. Do not treat later processing dates as disclosure timing.