PatchSiren cyber security CVE debrief
CVE-2025-38451 Siemens CVE debrief
CVE-2025-38451 is a local Linux kernel availability issue tied to md/md-bitmap bitmap_get_stats(). On affected Siemens SIMATIC S7-1500 CPU models, a missing or inconsistent super-block check can lead to a kernel GPF/Oops when stats are read, potentially disrupting the device's GNU/Linux subsystem.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Siemens SIMATIC S7-1500 operators, OT/ICS defenders, and teams managing the additional GNU/Linux subsystem or local shell access on the affected CPU models.
Technical summary
The supplied advisory states that bitmap_get_stats() was intended to handle both internal and external bitmaps, but the implementation only validated the super-block for the internal case. That mismatch can dereference invalid data and trigger a kernel GPF during seq_read/proc read paths. The disclosed CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access and availability impact only.
Defensive priority
High for affected fleets: the issue has no fix listed in the supplied advisory, can crash a kernel path, and is reachable with local privileges. Prioritize compensating controls that reduce local access and execution in the GNU/Linux subsystem.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Limit which applications can be built and run on the device, and only use trusted sources.
- Review whether the affected Siemens CPU models are deployed in environments where local user access is possible, and reduce that exposure.
- Monitor affected devices for kernel Oops, unexpected reboots, or service disruption associated with md/md-bitmap activity.
- Track Siemens ProductCERT and CISA updates for any future fix or revised remediation guidance, since the supplied advisory lists no fix currently available.
Evidence notes
CISA's CSAF advisory ICSA-25-162-05 was published on 2025-06-10 and last updated on 2026-05-14. The source ties CVE-2025-38451 to Siemens ProductCERT advisory SSA-082556 and lists five affected SIMATIC/SIPLUS S7-1500 CPU variants. The vulnerability description in the corpus attributes the fault to an md/md-bitmap bitmap_get_stats() super-block validation error that can produce a GPF/Oops and carries a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. No KEV listing or active exploitation evidence is present in the supplied materials.
Official resources
-
CVE-2025-38451 CVE record
CVE.org
-
CVE-2025-38451 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 via CISA's ICSA-25-162-05 / Siemens ProductCERT SSA-082556, with CISA's latest republication update on 2026-05-14.