PatchSiren cyber security CVE debrief
CVE-2025-38084 Siemens CVE debrief
CVE-2025-38084 is a high-severity local Linux kernel memory-management race that Siemens and CISA republished for affected SINEC OS firmware. The issue is in hugetlb page-table handling during VMA split: unsharing happened too early, before the relevant VMA and rmap locks were held, creating a race window. Siemens’ remediation is to update affected products to V3.3 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Asset owners, OT platform administrators, and maintenance teams responsible for Siemens SINEC OS firmware on the listed SCALANCE and RUGGEDCOM products should prioritize review and remediation. Security teams should also verify whether any embedded Linux-based deployment inherits the affected kernel behavior.
Technical summary
The source advisory describes a Linux kernel bug in mm/hugetlb where __split_vma() triggered hugetlb page-table unsharing via vm_ops->may_split() before VMA and rmap write locks were acquired. That timing allowed racing page faults or rmap walks to re-share page tables before the split completed. The fix moves the unshare operation into the locked section used for THP splitting. The supplied CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path with high complexity and low privileges.
Defensive priority
High for affected deployments. The advisory is rated HIGH and the impact includes confidentiality, integrity, and availability. Prioritize any exposed or routinely maintained Siemens SINEC OS firmware in production OT environments.
Recommended defensive actions
- Inventory affected Siemens devices and confirm whether they run the impacted SINEC OS firmware.
- Upgrade affected products to V3.3 or later using Siemens' published remediation guidance.
- Plan maintenance windows and validate the update path for each product model before deployment.
- If immediate patching is not possible, reduce access to trusted local users and enforce least-privilege administration.
- Track the Siemens and CISA advisories for any product-scope clarifications or follow-up revisions.
Evidence notes
The corpus ties CVE-2025-38084 to Siemens advisory SSA-089022 / CISA ICSA-26-043-06 and lists remediation as V3.3 or later for affected products. The revision history notes CISA republication updates and a clarification that only SINEC OS firmware is impacted. The corpus contains no KEV listing, no ransomware linkage, and no reported exploitation evidence. The underlying technical description is Linux-kernel-specific, so product scope should be read from the Siemens/CISA advisory rather than from the kernel patch note alone.
Official resources
-
CVE-2025-38084 CVE record
CVE.org
-
CVE-2025-38084 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied source corpus on 2026-01-28, with a latest listed update on 2026-02-25. The CISA revision history shows republishing updates on 2026-02-12, 2026-02-24, and 2026-02-25 under ICSA-26-043-06 / Siemens SSA-089