PatchSiren cyber security CVE debrief

CVE-2025-38684 Siemens CVE debrief

CVE-2025-38684 is described in the supplied advisory material as a Linux kernel net/sched ets issue that can trigger a NULL pointer dereference during qdisc changes and class cleanup. The fix is to purge idle DWRR queues before updating q->nbands, so ets_class_find() and ets_class_is_strict() operate on a consistent configuration. The source package republished by CISA on 2026-05-14 points to Siemens advisory SSA-032379, but the vendor/product metadata in the corpus does not cleanly match the kernel-focused vulnerability text, so applicability should be verified before taking action.

Vendor: Siemens
Product: SIMATIC CN 4100
CVSS: MEDIUM 5.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-12
Original CVE updated: 2026-05-14
Advisory published: 2026-05-12
Advisory updated: 2026-05-14

Who should care

Operators or administrators who deploy the affected Siemens-referenced product in the advisory corpus, and teams responsible for Linux kernel traffic-control/qdisc configurations in environments where sch_ets can be exercised. Because the source material includes a product/advisory mismatch, asset owners should first confirm whether their deployed software is actually in scope.

Technical summary

The advisory text says ets_qdisc_change() was purging unused DWRR queues while q->nbands already held a new value. That made cleanup routines look at an inconsistent ets configuration, which could crash in ets_class_qlen_notify() with a kernel NULL pointer dereference during qdisc modification. The stated remediation is to purge idle DWRR queues before assigning the new q->nbands value, while also using the old q->nstrict during cleanup. The supplied CVSS vector is AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H (5.2, Medium), indicating a local, high-complexity, privilege-dependent issue with availability impact.

Defensive priority

Medium. The advisory describes a crash condition with local, privilege-dependent triggering conditions, and the supplied CVSS rates availability highest. Prioritize verification and patching where the affected software is confirmed present, but treat the source/product scope as needing validation because of the mismatch in the supplied corpus.

Recommended defensive actions

Verify whether the affected advisory applies to your deployed software and version, since the supplied corpus shows a Linux kernel issue alongside Siemens SIMATIC CN 4100 metadata.
If applicable, update to V5.0 or later version as stated in the supplied remediation.
Review any automation or administrative workflows that modify qdisc/ETS settings, since the crash is triggered during traffic-control reconfiguration.
Limit who can perform privileged network configuration changes on affected systems until remediation is complete.
Monitor for kernel oops or stability issues during qdisc changes, especially in environments using sch_ets or ETS-based configuration.
Use vendor and CISA advisories as the primary sources for confirmation and remediation timing.

Evidence notes

The corpus includes CISA CSAF advisory ICSA-26-134-10 (published 2026-05-12, republished 2026-05-14) and a Siemens advisory reference SSA-032379. The embedded vulnerability text explicitly describes a Linux kernel net/sched ets bug, including a kernel NULL pointer dereference and crash stack trace in ets_class_qlen_notify(). The supplied remediation states: update to V5.0 or later version. Because the product metadata names Siemens SIMATIC CN 4100 while the description is kernel-specific, scope should be confirmed against the official advisory links before remediation is generalized.

Official resources

Public advisory material was published on 2026-05-12 and republished on 2026-05-14 in the supplied corpus. The issue is presented as a defensive, vendor-advisory context item; no exploit instructions are included here.