PatchSiren cyber security CVE debrief
CVE-2025-38736 Cert Portal CVE debrief
CVE-2025-38736 is a Linux kernel availability issue affecting MDIO bus initialization in the asix_devices path. According to the supplied advisory text, syzbot reported a shift-out-of-bounds exception because PHY addresses were not constrained to the valid 5-bit range. The fix masks the address with 0x1f so invalid values cannot reach the MDIO initialization logic. The supplied source corpus packages this issue inside a Siemens/CISA advisory context, but the technical description itself is the kernel flaw.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, embedded device vendors, and operators of systems that include the affected USB Ethernet/MDIO driver path should care. Because the supplied advisory is republished in a Siemens OT advisory context, OT/ICS teams should also verify whether any deployed Siemens-related products include the affected component before assuming exposure.
Technical summary
The advisory describes a local, low-complexity denial-of-service style kernel defect in net/usb/asix_devices during MDIO bus initialization. An unmasked PHY address could exceed the expected 0-31 range, leading to a shift-out-of-bounds exception. The remediation is to mask the PHY address with 0x1f, constraining the value to 5 bits and preventing invalid MDIO bus operations. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, consistent with a local availability impact.
Defensive priority
Medium. The issue is locally triggered and affects availability rather than confidentiality or integrity, but kernel faults in embedded and industrial environments can still cause disruptive service loss. Prioritize remediation on any affected deployments once product applicability is confirmed.
Recommended defensive actions
- Update affected systems to the vendor-fixed release identified in the advisory: V5.0 or later.
- Confirm whether the advisory applies to your actual deployed hardware/software, since the supplied source corpus contains a product naming mismatch that should be validated before remediation planning.
- If you maintain a kernel tree or vendor fork, backport the PHY address masking fix (0x1f) into the relevant MDIO initialization code path.
- Inventory systems using the asix_devices USB networking driver or related MDIO initialization logic and include them in patch planning.
- Monitor affected systems for kernel warnings, crashes, or service interruptions during USB network initialization.
- Track the CISA/Siemens advisory references for any follow-on corrections or updated remediation guidance.
Evidence notes
The supplied CISA CSAF record (ICSA-26-134-10) states that syzbot reported a shift-out-of-bounds exception in MDIO bus initialization and that the PHY address should be masked to 5 bits (0-31). The same record says the fix is to mask the address with 0x1f. The remediation field directs users to update to V5.0 or later. The corpus also includes a CVE record link and an NVD detail link, but the technical basis in the supplied source is the CISA-republished Siemens ProductCERT advisory.
Official resources
-
CVE-2025-38736 CVE record
CVE.org
-
CVE-2025-38736 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use 2026-05-12 as the CVE publication date and 2026-05-14 as the last modified date, per the supplied timeline and source metadata. The advisory was republished by CISA on 2026-05-14, but that does not change the CVE publication date.