PatchSiren cyber security CVE debrief
CVE-2025-38345 Siemens CVE debrief
CVE-2025-38345 was publicly disclosed in the Siemens/CISA advisory stream on 2026-01-28 and republished by CISA on 2026-02-25 after scope updates. The issue is a Linux kernel ACPICA operand cache leak that can surface during ACPI early termination on affected Siemens OT products, with Siemens directing customers to update to V3.3 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Siemens OT/ICS operators running the affected RUGGEDCOM RST2428P or SCALANCE-family firmware, especially teams responsible for reboot reliability, firmware maintenance, and boot-chain integrity.
Technical summary
The corpus describes a bug in ACPICA’s dswstate.c where acpi_ds_obj_stack_pop_and_delete() miscalculates the top of the operand stack relative to acpi_ds_obj_stack_push(), leaving Acpi-Operand cache objects allocated when ACPI initialization terminates early. In the reported failure mode, a malformed or malicious ACPI table can force early termination, kmem_cache_destroy() reports that the slab cache still has objects, and the system continues booting after logging ACPI errors. The advisory assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5). The source also notes that older kernels (<= 4.9) may expose stack-dump addresses, which is a hardening concern mentioned in the advisory rather than the scored impact.
Defensive priority
Medium. Plan remediation in the next maintenance window, but accelerate if the device is reboot-sensitive or if firmware/boot integrity cannot be tightly controlled.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later as directed in SSA-089022 / CISA ICSA-26-043-06.
- Verify your exact device and firmware are in the affected-product list, since CISA’s republication updated the scope on 2026-02-24 and 2026-02-25.
- Check boot logs for ACPI interpreter failures and 'Acpi-Operand' slab-cache messages to identify systems that may have hit the condition.
- Apply ICS defense-in-depth practices and protect firmware/boot inputs from tampering, especially in environments where ACPI tables or boot media can be altered.
- After updating, test a controlled reboot to confirm ACPI initialization completes normally and no cache-leak errors are logged.
Evidence notes
The supplied corpus explicitly states the ACPI operand cache leak, the stack-index mismatch in acpi_ds_obj_stack_pop_and_delete(), the boot-log signature ('kmem_cache_destroy Acpi-Operand: Slab cache still has objects'), and Siemens’ remediation to update to V3.3 or later. CISA’s revision history shows the advisory was initially published on 2026-01-28, republished on 2026-02-12, expanded on 2026-02-24, and updated again on 2026-02-25. The corpus does not provide a detailed firmware version range beyond the remediation statement.
Official resources
-
CVE-2025-38345 CVE record
CVE.org
-
CVE-2025-38345 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the provided advisory corpus on 2026-01-28, with CISA’s latest republication update on 2026-02-25. No KEV listing is present in the supplied data.