PatchSiren cyber security CVE debrief
CVE-2025-21767 Siemens CVE debrief
CVE-2025-21767 is a Linux kernel bug called out in Siemens/CISA advisory ICSA-25-162-05 for specific Siemens SIMATIC S7-1500 CPU 1518-* MFP and SIPLUS variants. The issue is tied to PREEMPT_RT behavior in the clocksource watchdog path: clocksource_verify_choose_cpus() can call get_random_u32() while preemption is disabled, which may hit sleeping locks and trigger a kernel BUG. The published advisory rates the issue CVSS 3.1 5.5 (Medium) and states that no fix is currently available in the vendor advisory.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Siemens SIMATIC S7-1500 operators, OT/ICS security teams, and integrators responsible for the affected CPU models, especially where the additional GNU/Linux subsystem is used or where Linux kernel behavior is relevant.
Technical summary
The root cause is an atomic-context violation in the Linux clocksource watchdog CPU selection path. clocksource_verify_choose_cpus() runs with preemption disabled and invokes get_random_u32() to select CPUs. On PREEMPT_RT kernels, the entropy-related locks involved in that call are sleeping locks, so taking them from atomic context can produce a 'sleeping function called from invalid context' warning and a kernel BUG. The upstream fix described in the source uses migrate_disable() so smp_processor_id() can be used reliably without introducing atomic context, then applies preempt_disable() later to avoid unexpected latency during the measurement path.
Defensive priority
Medium — prioritize affected OT deployments because the issue can destabilize the Linux subsystem and the advisory says no vendor fix is currently available.
Recommended defensive actions
- Inventory the listed Siemens SIMATIC S7-1500 and SIPLUS CPU models and confirm whether the additional GNU/Linux subsystem is enabled in your deployment.
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on affected devices.
- Monitor Siemens ProductCERT and CISA advisory updates for remediation guidance or a vendor fix.
- If you maintain custom Linux builds, verify whether the upstream migrate_disable() fix is present where applicable.
- Follow CISA ICS defense-in-depth and recommended-practices guidance for layered protection while awaiting remediation.
Evidence notes
The supplied advisory describes a PREEMPT_RT kernel bug that can call get_random_u32() in atomic context, causing a sleeping-function warning and kernel BUG. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports an availability-focused impact. The source advisory lists five affected Siemens CPU variants and explicitly states 'Currently no fix is available.' Timing context: the CVE/public advisory date is 2025-06-10, and the latest supplied source modification is 2026-05-14; those are publication/update dates, not the issue creation date.
Official resources
-
CVE-2025-21767 CVE record
CVE.org
-
CVE-2025-21767 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA/Siemens advisory ICSA-25-162-05 on 2025-06-10, with later republication updates through 2026-05-14. The supplied enrichment does not mark this CVE as a CISA KEV item.