PatchSiren cyber security CVE debrief
CVE-2025-38468 Siemens CVE debrief
CVE-2025-38468 is a Linux kernel denial-of-service issue disclosed in Siemens and CISA advisories for several SIMATIC S7-1500 CPU 1518/1518F MFP variants. The bug is in traffic-control queue handling: under a specific local qdisc interaction, htb_lookup_leaf can encounter an empty red-black tree and hit a BUG_ON, which can crash the subsystem. The advisory rates the issue CVSS 3.1 5.5 (medium) with local access required and high availability impact.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the affected Siemens SIMATIC S7-1500 CPU models, especially environments that expose or use the additional GNU/Linux subsystem, interactive shell access, or third-party applications. OT teams should also care because the impact is service disruption rather than data theft, and the vendor advisory states no fix is currently available.
Technical summary
The source advisory describes a Linux kernel path in which HTB dequeue processing interacts with netem and a blackhole child qdisc. When packet backlog is reduced to zero, the selected HTB class can be removed from the red-black tree. If a later dequeue path returns NULL and htb_lookup_leaf is called again on the same empty tree, the existing BUG_ON is reached. The reported fix is to return NULL instead of asserting when the tree is empty.
Defensive priority
High for affected Siemens deployments. The issue is local and requires some level of access, but the consequence is a crash/denial of service in a product family used in industrial control contexts. Because the advisory lists no fix, exposure reduction and access control are the main immediate controls.
Recommended defensive actions
- Confirm whether any listed SIMATIC S7-1500 CPU 1518/1518F MFP variants are in scope in your environment.
- Restrict access to the additional GNU/Linux subsystem shell to trusted personnel only.
- Limit execution of applications and packages to trusted, vetted sources only.
- Review whether traffic-control/qdisc features are needed on affected systems and remove unnecessary local access paths where possible.
- Monitor vendor and CISA advisories for updates, since the source advisory states that no fix is currently available.
Evidence notes
CISA’s CSAF source item and Siemens ProductCERT advisory both identify CVE-2025-38468 and list five affected SIMATIC S7-1500 CPU variants. The advisory text says the Linux kernel bug occurs in htb_lookup_leaf when an empty rbtree is encountered after HTB/netem/blackhole queue handling, leading to a BUG_ON and a denial of service. The remediation section explicitly states that no fix is currently available and recommends restricting shell access and only running trusted applications. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a local availability-impact issue.
Official resources
-
CVE-2025-38468 CVE record
CVE.org
-
CVE-2025-38468 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 through CISA’s ICS advisory ICSA-25-162-05 and the Siemens ProductCERT advisory SSA-082556.