PatchSiren cyber security CVE debrief
CVE-2025-38477 Siemens CVE debrief
CVE-2025-38477 was publicly disclosed in CISA’s ICSA-25-162-05 advisory on 2025-06-10 and last updated on 2026-05-14. The advisory ties a Linux kernel sch_qfq race condition to affected Siemens SIMATIC S7-1500 CPU family products, with potential for local denial of service through NULL dereference or use-after-free conditions. Siemens/CISA note that no fix is currently available and recommend access restriction and trusted-source controls as mitigations.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT and industrial-control operators running the affected Siemens SIMATIC S7-1500 CPU family products, especially where the additional GNU/Linux subsystem is exposed or used. Security and platform teams should care if local users, shell access, or locally running applications are permitted on these devices, because the issue is reachable with local access and can affect availability.
Technical summary
The source advisory describes a race condition in Linux kernel sch_qfq qfq_aggregate handling: qfq_change_agg, called during qfq_enqueue, can modify agg while other threads access it concurrently. The documented symptoms include a NULL dereference in qfq_dump_class and a use-after-free in qfq_delete_class. The referenced patch moves qfq_destroy_class into the critical section and adds sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.
Defensive priority
Medium. The issue is locally reachable, requires low-privilege local access, and is documented as an availability-impacting race condition. For affected Siemens products, the advisory also states that no fix is currently available, so compensating controls matter now.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Allow only trusted, vetted applications to be built and run on affected devices.
- Inventory the affected Siemens SIMATIC S7-1500 CPU family products and identify where local shell or application access is enabled.
- Monitor affected systems for unexpected crashes, kernel faults, or instability consistent with NULL dereference or use-after-free behavior.
- Track Siemens and CISA advisory updates for a vendor fix or revised mitigation guidance.
Evidence notes
CISA CSAF ICSA-25-162-05 identifies the affected Siemens product family and states "Currently no fix is available". The advisory’s description says the Linux kernel sch_qfq race can occur when agg is modified in qfq_change_agg during qfq_enqueue while other threads access it concurrently, with qfq_dump_class potentially triggering a NULL dereference and qfq_delete_class potentially causing a use-after-free. The advisory also records CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a local, availability-focused risk profile. The supplied remediations are access restriction and trusted-source controls.
Official resources
-
CVE-2025-38477 CVE record
CVE.org
-
CVE-2025-38477 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
First publicly disclosed in CISA CSAF ICSA-25-162-05 on 2025-06-10; the advisory was last updated on 2026-05-14. The source corpus ties the issue to Siemens SIMATIC S7-1500 CPU family products and the Linux kernel sch_qfq race condition.