PatchSiren cyber security CVE debrief
CVE-2025-21726 Siemens CVE debrief
CVE-2025-21726 is a Use-After-Free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically affecting the `reorder_work` function. The vulnerability was published on 2024-04-09 and last modified on 2026-05-14. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system. The vulnerability carries a CVSS 3.1 score of 7.8 (HIGH severity) with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that a local attacker with low privileges can achieve high impact on confidentiality, integrity, and availability without user interaction. The padata subsystem is used for parallel data processing in the kernel, and the UAF condition in `reorder_work` could potentially allow privilege escalation or system compromise. As of the advisory publication, no patch is available from Siemens for this specific product. The vulnerability was added to the CISA ICS advisory ICSA-24-102-01 in Additional Release 8 on 2025-08-12, along with 147 other CVEs.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly in industrial automation and manufacturing environments. Security teams responsible for OT/ICS infrastructure should prioritize access controls given the absence of available patches.
Technical summary
The vulnerability exists in the Linux kernel's padata (parallel data) subsystem, which provides infrastructure for parallelizing CPU-intensive operations. The `reorder_work` function contains a use-after-free condition that can be triggered during reordering operations. On affected Siemens SIMATIC S7-1500 TM MFP systems, the GNU/Linux subsystem exposes this kernel-level vulnerability to potential local exploitation. The CVSS vector indicates local attack vector with low attack complexity, requiring low privileges but granting high impact across all three security dimensions (CIA triad).
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for future Siemens security advisories (SSA-265688) for patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review and implement ICS-CERT recommended practices for securing control system environments
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-24-102-01. CVSS vector and score confirmed from source metadata. Affected product identified as SIMATIC S7-1500 TM MFP GNU/Linux subsystem via CSAF product tree. Timeline of advisory updates tracked through revision history showing CVE added in Additional Release 8 (2025-08-12).
Official resources
-
CVE-2025-21726 CVE record
CVE.org
-
CVE-2025-21726 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09