PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-21648 Siemens CVE debrief

A vulnerability in the Linux kernel's netfilter connection tracking (conntrack) subsystem allows triggering a WARN_ON_ONCE warning when resizing the conntrack hashtable. The issue occurs because the hashtable size was not clamped to INT_MAX, and __GFP_NOWARN is unset during allocation. When an oversized allocation is attempted via __kvmalloc_node_noprof(), the kernel emits a warning. The vulnerability is limited to the initial network namespace (init_netns), restricting the attack surface to privileged contexts where hashtable resize operations are possible. Siemens has identified this as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control product.

Vendor
Siemens
Product
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations running Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem enabled; Linux system administrators managing netfilter conntrack configurations; industrial control system operators relying on network address translation and connection tracking

Technical summary

The Linux kernel netfilter conntrack module did not enforce an upper bound on hashtable size, allowing values that could trigger WARN_ON_ONCE in __kvmalloc_node_noprof() during resize operations. The fix clamps maximum size to INT_MAX. Hashtable resize is only possible from init_netns, limiting exploitation to privileged contexts.

Defensive priority

medium

Recommended defensive actions

  • Restrict access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
  • Only build and run applications from trusted sources
  • Monitor for kernel warning messages related to kvmalloc failures in netfilter conntrack
  • Apply vendor security updates when available for Siemens SIMATIC S7-1500 TM MFP

Evidence notes

CVE published 2024-04-09 per official CVE record. CISA ICS advisory ICSA-24-102-01 published same date. Advisory last modified 2026-05-14 with multiple additional CVE releases through September 2025.

Official resources

2024-04-09