PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-38085 Siemens CVE debrief

CVE-2025-38085 is a Siemens-adopted Linux kernel issue affecting SINEC OS firmware on multiple industrial products, with CISA republishing Siemens ProductCERT advisory SSA-089022 as ICSA-26-043-06. The vulnerable behavior is a race between huge_pmd_unshare() and gup_fast() that can cause one process to walk page tables associated with another process. In the supplied advisory text, the issue is described as unexpected behavior rather than an identified memory-corruption path, and the published CVSS vector rates it as a local, low-privilege availability issue. For defenders, the key action is to identify impacted Siemens devices and update to V3.3 or later, as directed in the vendor remediation. CISA’s revision history also notes that the advisory was updated to clarify product scope, including that only SINEC OS firmware is impacted. This is a maintenance-priority issue for environments running the affected firmware, especially where local access is feasible.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-28
Original CVE updated
2026-02-25
Advisory published
2026-01-28
Advisory updated
2026-02-25

Who should care

OT and industrial networking teams running Siemens SINEC OS firmware on the affected product families, plus patch managers responsible for Siemens-managed appliances and Linux-based embedded platforms.

Technical summary

The supplied description says huge_pmd_unshare() can drop a reference on a page table that was previously shared across processes, which may turn it into a normal page table in another process where unrelated VMAs can later be installed. If a concurrent gup_fast() occurs during that window, gup_fast() may walk the page tables of another process. The proposed fix is an explicit broadcast IPI via tlb_remove_table_sync_one(), mirroring the synchronization used during khugepaged page-table removal for THP collapse. The CVSS vector in the source is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access, low privileges, and high availability impact only.

Defensive priority

Medium priority. Treat as a planned patch item for affected Siemens firmware, with faster action in environments that permit local user access or shared administrative workflows.

Recommended defensive actions

  • Identify whether any deployed Siemens devices match the affected product list in ICSA-26-043-06 / SSA-089022 and confirm the installed SINEC OS firmware version.
  • Upgrade affected products to SINEC OS V3.3 or later using the vendor remediation path provided by Siemens.
  • Track the CISA republication history for scope clarifications; the latest update states that only SINEC OS firmware is impacted.
  • Apply least-privilege and local-access controls on systems where the firmware is deployed, since the CVSS vector requires local access and low privileges.
  • Schedule maintenance and validation testing before deployment, especially for industrial environments where firmware updates require outage planning.

Evidence notes

Evidence is taken from the supplied CISA CSAF source item for ICSA-26-043-06, its revision history, and the referenced Siemens ProductCERT advisory SSA-089022. The source text ties CVE-2025-38085 to a Linux kernel huge_pmd_unshare() vs GUP-fast race, lists Siemens affected products, and provides the remediation to update to V3.3 or later. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, supporting a local, availability-focused severity assessment. The timeline used here follows the CVE/source publication and modification dates in the provided corpus.

Official resources

CVE published 2026-01-28 and modified 2026-02-25 in the supplied record. CISA republished Siemens ProductCERT advisory SSA-089022 as ICSA-26-043-06 on the same publication date, with later updates clarifying affected scope. No KEV listing,,