PatchSiren cyber security CVE debrief
CVE-2025-38364 Siemens CVE debrief
CVE-2025-38364 is a Linux kernel flaw in maple_tree preallocation handling that can suppress expected allocations and, in some paths, lead to a WARN_ON followed by a NULL pointer dereference. In the supplied Siemens/CISA advisory context, the issue is tied to SIMATIC S7-1500 CPU family products that expose an additional GNU/Linux subsystem, with no fix listed in the source advisory.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT defenders and operators responsible for Siemens SIMATIC S7-1500 CPU family systems, especially environments that expose the additional GNU/Linux subsystem, allow local shell access, or run third-party applications on the device.
Technical summary
The kernel bug is in mas_preallocate(): when explicit allocations are requested, the MA_STATE_PREALLOC flag is handled incorrectly. According to the advisory text, pre-existing allocations are already counted by mas_node_count_gfp(), but the allocation can be skipped if the flag remains set. The result is that subsequent requests for a larger number of nodes may be ignored, which can surface as a WARN_ON and then a NULL pointer dereference during later consumption, including a vma merge retry in mmap_region() when drivers alter vma flags. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, so the primary impact is local availability loss.
Defensive priority
Medium. Treat as operationally important because the described failure mode can crash the affected Linux subsystem and the source advisory states that no fix is currently available.
Recommended defensive actions
- Restrict interactive shell access on affected systems to trusted personnel only, as the advisory recommends.
- Only build and run applications from trusted sources on the affected GNU/Linux subsystem.
- Review logs and crash reports for WARN_ON events, kernel oopses, or unexpected NULL pointer dereference symptoms in the affected subsystem.
- Monitor Siemens and CISA advisory updates for revised mitigation guidance, since the supplied source currently lists no fix available.
- Reduce local access and administrative exposure on affected devices to limit the conditions required for exploitation.
Evidence notes
This debrief is based on the supplied CISA CSAF source item for ICSA-25-162-05 and the referenced Siemens ProductCERT advisory SSA-082556. The source advisory was published on 2025-06-10 and last updated/republished on 2026-05-14. The supplied data assigns CVSS 5.5 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and does not indicate a KEV listing. The source remediation section states that no fix is currently available.
Official resources
-
CVE-2025-38364 CVE record
CVE.org
-
CVE-2025-38364 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the source advisory on 2025-06-10 and republished it most recently on 2026-05-14; the supplied enrichment data shows no KEV listing.