PatchSiren cyber security CVE debrief
CVE-2025-21664 Siemens CVE debrief
This CVE addresses a race condition in the Linux kernel's Device Mapper (dm) thin provisioning subsystem. The vulnerability exists in the `get_first_thin` function, which previously used a non-RCU-safe list operation that could lead to use-after-free conditions during concurrent access. The fix converts this to use RCU-safe list traversal primitives, preventing potential system instability or denial of service when the thin provisioning target is under heavy concurrent load. The vulnerability is local in nature, requiring low privileges and no user interaction, but can result in high availability impact through system crashes or memory corruption.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Siemens SIMATIC S7-1500 TM MFP with the GNU/Linux subsystem enabled, particularly in industrial control environments where device availability is critical. System administrators maintaining Linux-based embedded systems using dm-thin provisioning should also assess exposure.
Technical summary
The Device Mapper thin provisioning target in the Linux kernel contains a race condition where `get_first_thin` uses non-RCU-safe list operations. Under concurrent access, this can trigger use-after-free conditions leading to kernel crashes or memory corruption. The vulnerability is exploitable locally with low privileges and requires no user interaction. The fix implements proper RCU list traversal to ensure safe concurrent access patterns.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for vendor security updates as no fix is currently available
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
CVE published 2024-04-09 per CISA CSAF advisory ICSA-24-102-01. Advisory last modified 2026-05-14. This CVE was added to the advisory in Additional Release 6 (2025-06-10). CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. CWE-20 (Improper Input Validation) referenced.
Official resources
-
CVE-2025-21664 CVE record
CVE.org
-
CVE-2025-21664 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09