PatchSiren cyber security CVE debrief
CVE-2025-21639 Siemens CVE debrief
This CVE addresses a null-pointer dereference vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) sysctl implementation for RTO (Retransmission Timeout) minimum and maximum values. The issue stems from unsafe access to `current->nsproxy` when retrieving network namespace information during sysctl operations. When a task is exiting, `current->nsproxy` can be NULL, leading to a kernel oops (null-ptr-deref) as demonstrated by syzbot using the acct(2) system call. The fix replaces the unreliable `current`-based namespace lookup with a proper `container_of()` derivation from `table->data`, ensuring consistent access to the opener's network namespace rather than the reader/writer's namespace. This vulnerability has been identified in Siemens SIMATIC S7-1500 TM MFP industrial control systems running the GNU/Linux subsystem, with no patch currently available.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem; Linux kernel maintainers; OT security teams managing networked industrial controllers; organizations relying on SCTP protocol for industrial communications
Technical summary
The vulnerability exists in the Linux kernel's SCTP protocol implementation, specifically in the sysctl handlers for `rto_min` and `rto_max` parameters. The code incorrectly uses `current->nsproxy` to obtain the network namespace structure, which is unreliable because: (1) it creates inconsistency between reader/writer namespace and opener namespace, and (2) `current->nsproxy` can be NULL during task exit, causing a null-pointer dereference. The resolution uses `container_of()` on `table->data` to properly derive the network namespace. This affects Siemens SIMATIC S7-1500 TM MFP systems where the GNU/Linux subsystem provides kernel-level SCTP functionality.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Only build and execute applications from trusted sources
- Monitor for kernel oops messages related to SCTP sysctl operations
- Apply kernel updates when available from Siemens for the SIMATIC S7-1500 TM MFP platform
- Implement network segmentation for affected industrial control systems
Evidence notes
The vulnerability was resolved in the Linux kernel sctp subsystem. The issue was identified through syzbot automated testing. Siemens has confirmed this affects the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial controllers. The advisory ICSA-24-102-01 has been updated multiple times (most recently 2025-09-09) to include additional CVEs, with this CVE added in a 2025 release.
Official resources
-
CVE-2025-21639 CVE record
CVE.org
-
CVE-2025-21639 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09