PatchSiren cyber security CVE debrief
CVE-2025-38236 Siemens CVE debrief
CVE-2025-38236 is a high-severity use-after-free in Linux kernel AF_UNIX stream receive handling. In the Siemens advisory, it is mapped to SIMATIC S7-1500 CPU MFP products that include an additional GNU/Linux subsystem. The source notes no fix was available at publication time and recommends restricting shell access and software provenance on affected devices.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT and industrial-control teams running the listed Siemens SIMATIC S7-1500 CPU MFP products, especially where the additional GNU/Linux subsystem is enabled and reachable by trusted or untrusted users. Linux kernel maintainers and defenders of embedded Linux environments should also track this issue because the root cause is in unix_stream_read_generic() and related AF_UNIX OOB handling.
Technical summary
The advisory describes a use-after-free in unix_stream_read_generic() caused by consecutive consumed out-of-band (OOB) sk_buffs remaining on the receive queue. A sequence of MSG_OOB reads can leave multiple consumed OOB skbs in place; a later non-OOB recv can then interact badly with SO_PEEK_OFF / manage_oob() logic, causing the code to free an skb that is later accessed again. The source cites a KASAN slab-use-after-free in unix_stream_read_actor and assigns CVSS 3.1 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Defensive priority
High. The issue is locally exploitable with low privileges on the affected Linux kernel path and is rated High by CVSS. For Siemens' mapped products, the source states no fix was available at the time of publication, so compensating controls matter immediately.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources.
- Review whether the affected SIMATIC S7-1500 CPU MFP products are deployed in environments where local shell access or untrusted application execution is possible.
- Monitor Siemens and CISA advisory updates for a vendor fix or additional mitigation guidance.
- Use the referenced CISA industrial-control defensive practices and defense-in-depth guidance for layered access control and software provenance controls.
Evidence notes
CVE-2025-38236 was published on 2025-06-10 and the supplied source was last modified on 2026-05-14. The source advisory text identifies a Linux kernel AF_UNIX use-after-free in unix_stream_read_generic(), shows KASAN evidence, and maps the issue to Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants. The remediation section explicitly says no fix is currently available and recommends restricting shell access and only running trusted applications.
Official resources
-
CVE-2025-38236 CVE record
CVE.org
-
CVE-2025-38236 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial publication date: 2025-06-10. The source advisory was updated multiple times through 2026-05-14; use the 2025-06-10 publication date for the CVE timing context.