PatchSiren cyber security CVE debrief
CVE-2025-21835 Linux CVE debrief
This CVE addresses an incorrect length field in USB MIDI Streaming descriptors within the Linux kernel's USB gadget subsystem. The vulnerability exists in the f_midi driver, which is responsible for implementing USB MIDI functionality when a Linux system operates as a USB device (gadget mode). The descriptor length miscalculation could lead to out-of-bounds memory access or parsing errors when a host system interacts with the USB MIDI gadget. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of their SIMATIC S7-1500 TM MFP industrial control product. The vulnerability was published on April 9, 2024, and the advisory has been updated multiple times through September 2025 to include additional related CVEs. As of the latest advisory revision, no patch is available from Siemens for this specific product. The vulnerability requires local access with low privileges to exploit, and successful exploitation could result in high availability impact (denial of service) on the affected system.
- Vendor
- Linux
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled should prioritize this vulnerability. System integrators and OT security teams responsible for industrial control system security should assess exposure, particularly where USB gadget functionality may be utilized. Asset owners in critical infrastructure sectors using affected Siemens products should implement recommended mitigations and monitor for patch availability.
Technical summary
The f_midi driver in the Linux USB gadget subsystem incorrectly calculates MIDI Streaming descriptor lengths. This miscalculation can cause memory safety issues when the USB gadget presents MIDI functionality to a host system. The vulnerability is classified as CWE-20 (Improper Input Validation). The CVSS 3.1 score of 5.5 reflects local attack requirements with high availability impact but no confidentiality or integrity impact. The affected product is the GNU/Linux subsystem within Siemens SIMATIC S7-1500 TM MFP, an industrial automation platform. No vendor patch is currently available; mitigation relies on access controls and trusted application execution.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for future Siemens security advisories for patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review and implement ICS-CERT recommended practices for securing embedded Linux subsystems
Evidence notes
The vulnerability description indicates this is a Linux kernel USB gadget driver issue (f_midi) affecting MIDI Streaming descriptor lengths. The CVSS vector confirms local attack vector with low attack complexity and low privileges required. The advisory explicitly states 'Currently no fix is available' for the affected Siemens product. The revision history shows this CVE was added in 'Additional Release 6' on June 10, 2025, indicating it was among 63 CVEs added in that update.
Official resources
-
CVE-2025-21835 CVE record
CVE.org
-
CVE-2025-21835 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This vulnerability was disclosed through coordinated disclosure via CISA and Siemens ProductCERT. The advisory was initially published on April 9, 2024, and has undergone ten revision cycles, with the most recent update on September 9, 2025