PatchSiren cyber security CVE debrief
CVE-2025-38058 Siemens CVE debrief
CVE-2025-38058 was published on 2025-06-10 and last updated on 2026-05-14. The advisory describes a race in Linux kernel __legitimize_mnt() where a check for MNT_SYNC_UMOUNT occurs outside mount_lock. In a narrow timing window around umount(2), that can let a mount reference count be raised after the victim has already been verified as not busy, which prevents the quiet undo path and can force a full mntput() later in caller context. Siemens and CISA map the issue to five SIMATIC/SIPLUS S7-1500 CPU products and state that no fix is currently available.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the Siemens SIMATIC S7-1500 CPU family listed in the advisory, especially environments that use the additional GNU/Linux subsystem or expose its interactive shell. Security teams responsible for local access control, application trust, and patch tracking for those devices should prioritize this advisory.
Technical summary
The source description identifies a timing-sensitive reference-counting bug in the Linux kernel mount lifecycle. __legitimize_mnt() checks MNT_SYNC_UMOUNT before taking mount_lock, which can miss the state transition during umount(2). If the reference count is incremented after the mount has been judged not busy but before MNT_SYNC_UMOUNT is set, the function cannot safely revert the increment and leaves the later reference drop to the caller as a full mntput(). The published CVSS vector is local, low-privilege, no-user-interaction, with high availability impact only (CVSS 5.5, MEDIUM).
Defensive priority
Medium. The impact is limited to local availability, but the advisory lists affected Siemens OT products and says no fix is available yet, so compensating controls matter now.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on the affected devices.
- Inventory the five advisory-listed Siemens SIMATIC/SIPLUS CPU variants and confirm exposure of the GNU/Linux subsystem.
- Monitor the Siemens ProductCERT advisory and CISA republication for any future remediation updates.
- Apply least-privilege access controls and administrative separation for operators who can reach the local shell or subsystem.
Evidence notes
The CVE description supplied in the source corpus states the race condition, the mount_lock ordering issue, and the potential for a full mntput() in caller context. The CISA CSAF source item maps CVE-2025-38058 to Siemens advisory ICSA-25-162-05 and lists five affected product IDs/names. The remediation entries explicitly say to restrict shell access to trusted personnel, use trusted software only, and that currently no fix is available.
Official resources
-
CVE-2025-38058 CVE record
CVE.org
-
CVE-2025-38058 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA/Siemens advisory material on 2025-06-10, with the latest cited republication update on 2026-05-14.