PatchSiren cyber security CVE debrief
CVE-2025-38350 Siemens CVE debrief
CVE-2025-38350 is a Linux kernel traffic-control bug that can lead to a use-after-free when certain classful qdiscs empty a child class without reliably notifying the parent. Siemens’ advisory maps the issue to SINEC OS firmware and affected industrial networking products, with a fix available in V3.3 or later. CISA’s CSAF record shows the advisory was first published on 2026-01-28 and updated through 2026-02-25.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Operators and administrators of Siemens devices running affected SINEC OS firmware, especially where local administrative access is available and traffic-control/qdisc functionality is in use. Industrial environments that manage SCALANCE and related Siemens networking products should verify whether they are on an affected firmware line.
Technical summary
The kernel flaw is in net/sched backlog handling for classful qdiscs. Under certain enqueue/dequeue paths, a child qdisc can become empty and passive via qlen_notify() earlier than expected. If a parent later reactivates the class using a stale pointer, a use-after-free can occur. The source advisory says the earlier HFSC-specific accounting fix was incomplete and that the final approach is to always call qlen_notify when the child qdisc is empty, with idempotent handlers preventing harm from repeated notifications. The CVSS vector in the source is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (7.1 HIGH).
Defensive priority
High. A vendor fix is available, the attack vector is local, and the flaw can affect industrial firmware platforms that may be harder to patch quickly. Prioritize inventory, firmware verification, and upgrade planning.
Recommended defensive actions
- Confirm whether any Siemens devices in scope are running the affected SINEC OS firmware line.
- Apply Siemens remediation to V3.3 or later as directed in the advisory.
- Use maintenance windows to update and verify affected firmware versions across the fleet.
- Limit local administrative access to trusted operators only, since the source CVSS vector requires local privileges.
- Review any systems that use advanced Linux traffic-control/qdisc features and ensure they are covered by current firmware and patch baselines.
- Track Siemens ProductCERT and CISA advisory updates for any scope changes or additional affected products.
Evidence notes
Source corpus: CISA CSAF ICSA-26-043-06 republished Siemens advisory SSA-089022; published 2026-01-28 and updated 2026-02-12, 2026-02-24, and 2026-02-25. The advisory states only SINEC OS firmware is impacted after revision, and remediation is update to V3.3 or later. The source also provides CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H with score 7.1.
Official resources
-
CVE-2025-38350 CVE record
CVE.org
-
CVE-2025-38350 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
First published in the source corpus on 2026-01-28 via CISA CSAF ICSA-26-043-06, republished from Siemens SSA-089022, with follow-up updates on 2026-02-12, 2026-02-24, and 2026-02-25. The source corpus does not list this CVE in CISA KEV.