PatchSiren cyber security CVE debrief
CVE-2025-38079 Siemens CVE debrief
CVE-2025-38079 is a high-severity Linux kernel memory-safety issue that Siemens surfaced in its SIMATIC S7-1500 CPU family advisory. The flaw is in crypto: algif_hash, where a failed crypto_ahash_import path during accept(2) with MSG_MORE set can free sk2 twice, leading to slab-use-after-free behavior. The CISA CSAF advisory was published on 2025-06-10 and was most recently republished on 2026-05-14. Siemens’ advisory notes no fix is currently available, so exposure reduction is the primary defense.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators, engineers, and security teams responsible for the listed Siemens SIMATIC S7-1500 CPU variants, especially where the additional GNU/Linux subsystem is enabled or locally accessible. Also relevant to anyone managing local-user access on affected industrial systems.
Technical summary
The underlying issue is a double free in the Linux kernel’s algif_hash accept path. If accept(2) is invoked on an algif_hash socket with MSG_MORE set and crypto_ahash_import fails, sk2 is freed in that error path and then freed again later by af_alg_release. That creates a slab-use-after-free condition. The advisory data and CVSS vector indicate a local attack scenario with low privileges and no user interaction, with high impacts to confidentiality, integrity, and availability. Siemens ties the issue to affected SIMATIC S7-1500 CPU products that include an additional GNU/Linux subsystem.
Defensive priority
High. The issue is severe, locally reachable under the described conditions, and Siemens reports no fix is currently available. Priority should be highest where local shell or subsystem access cannot be tightly controlled.
Recommended defensive actions
- Restrict access to the additional GNU/Linux subsystem shell to trusted personnel only.
- Only build and run applications from trusted sources.
- Inventory the listed affected SIMATIC S7-1500 CPU variants and confirm whether the GNU/Linux subsystem is enabled or reachable.
- Reduce local access pathways and remove unnecessary users or services on affected devices.
- Monitor Siemens ProductCERT and CISA updates for a future remediation or revision to the advisory.
- Apply layered industrial-control-system defense-in-depth guidance while awaiting a vendor fix.
Evidence notes
The source advisory text states that a failed crypto_ahash_import during accept(2) can free sk2 twice and cause a slab-use-after-free error. The CSAF record lists the affected Siemens SIMATIC S7-1500 CPU variants, marks no current fix as available, and provides mitigations focused on restricting shell access and using trusted software sources. Timing context comes from the supplied CVE published date of 2025-06-10 and latest modified date of 2026-05-14; those are used as the disclosure timeline anchors.
Official resources
-
CVE-2025-38079 CVE record
CVE.org
-
CVE-2025-38079 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-162-05 on 2025-06-10, with the latest republication on 2026-05-14 based on Siemens ProductCERT SSA-082556.