PatchSiren cyber security CVE debrief
CVE-2025-38471 Siemens CVE debrief
CVE-2025-38471 describes a Linux kernel TLS use-after-free that can be reached in the receive path when queue state is checked against an old skb after more aggressive TCP skb compaction. In the cited CISA/Siemens advisory record, the issue is associated with specific Siemens SIMATIC S7-1500 CPU family products, is rated CVSS 7.8 (High), and the source states that no fix is currently available.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT/ICS teams operating the Siemens SIMATIC S7-1500 CPU family products named in the advisory, especially environments using the embedded GNU/Linux subsystem or any local shell/application workflows on those devices. Linux kernel and TLS stack maintainers should also track the upstream bug context and advisory updates.
Technical summary
The CVE description says TLS may operate on a stale skb while determining whether all queued skbs match decrypt state and geometry. Recent TCP skb compaction changes exposed the flaw, and the provided trace shows a KASAN slab-use-after-free in tls_strp_check_rcv() during tls_rx_rec_wait() / tls_sw_recvmsg() / inet_recvmsg() handling. The published vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access is required and impact can be severe once triggered.
Defensive priority
High. The attack surface is local rather than remote, but the source severity is still 7.8 and the advisory notes no current fix. Prioritize asset identification, access restriction, and advisory monitoring for the affected Siemens product set.
Recommended defensive actions
- Confirm whether any of the five Siemens SIMATIC S7-1500 CPU family products listed in the advisory are deployed in your environment.
- Apply the source-listed mitigations: limit access to the interactive shell to trusted personnel only, and only build or run applications from trusted sources.
- Monitor the Siemens ProductCERT and CISA advisory pages for updates, because the source currently states that no fix is available.
- Restrict local access to affected systems and apply least-privilege controls where these devices expose Linux/TLS functionality.
- Use CISA ICS defense-in-depth and recommended practices for additional hardening around affected OT assets.
Evidence notes
The supplied CVE description attributes the bug to Linux kernel TLS receive-path handling and includes a KASAN slab-use-after-free trace. The CISA CSAF source (ICSA-25-162-05 / Siemens SSA-082556) maps CVE-2025-38471 to five Siemens SIMATIC S7-1500 CPU family products and includes the remediation note 'Currently no fix is available.' Timing in this debrief follows the supplied CVE publishedAt date of 2025-06-10 and the source/advisory modifiedAt date of 2026-05-14; generation time is not treated as the issue date.
Official resources
-
CVE-2025-38471 CVE record
CVE.org
-
CVE-2025-38471 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-25-162-05 on 2025-06-10, with the advisory republished/updated through 2026-05-14. Use the CVE published date as the issue date; later advisory updates are publication maintenance, not the vuln-