Breachbook

View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior. The following versions of ABB Terra AC Wallbox are affected: Terra AC wallbox (JP) <=1.8.33, 1.8.36 (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) CVSS Vendor Equipment Vulnerabilities v3 6.1 ABB ABB Terra AC Wallbox Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-10504 There is potential risk to pollute the memory when developing apps which has used to communicate with charger according to self-defined protocol if developers don’t strictly follow the field length which has not been validated in firmware. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CVE-2025-12142 There is potential risk of polluting the BSS memory when developing apps which are used to communicate with charger via Bluetooth according to self-defined protocol if developers configure an unexpected length of bin files. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CVE-2025-12143 There is potential risk of polluting the stack memory when developing a customized OCPP key of “Ran-domDelay“ in backend and configuring an unexpected number in the field. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 9AKK108471A8107 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-09-16 Date Revision Summary 2025-09-16 1 Initial version. 2025-09-28 2 DocumentID update 2025-09-28 3 Minor corrections 2025-10-09 4 CVSS update 2025-10-27 5 CVE update 2025-11-28 6 CVE update 2025-11-28 7 Fixed Version update 2026-05-21 8 Initial CISA Republication of ABB PSIRT 9AKK108471A8107 advisory Legal Notice and Terms of Use

South Korea's local elections next month will be a test bed for how effective regulations might be to stymie the flow of deepfakes.

A Taiwanese student experimenting with software-defined radio technology shut down three bullet trains for nearly an hour, leading to an anti-terrorism response.

View CSAF Summary SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version. The following versions of Siemens SIMATIC are affected: SIMATIC CN 4100 vers:intdot/<5.0  CVSS Vendor Equipment Vulnerabilities v3 9.6 Siemens Siemens SIMATIC NULL Pointer Dereference, Reachable Assertion, Use After Free, Out-of-bounds Write, Integer Overflow or Wraparound, Allocation of Resources Without Limits or Throttling, Out-of-bounds Read, Covert Timing Channel, Stack-based Buffer Overflow, Inefficient Algorithmic Complexity, Missing Release of Memory after Effective Lifetime, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Locking, Uncontrolled Recursion, Buffer Access with Incorrect Length Value, Race Condition within a Thread, Missing Synchronization, Use of Uninitialized Resource, Double Free, Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition ('Infinite Loop'), Improper Update of Reference Count, Improper Control of a Resource Through its Lifetime, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Unexpected Status Code or Return Value, Divide By Zero, Improper Validation of Specified Index, Position, or Offset in Input, Comparison Using Wrong Factors, Observable Timing Discrepancy, Improper Validation of Syntactic Correctness of Input, Deadlock, Signal Handler Race Condition, Improper Following of Specification by Caller, Improper Check for Dropped Privileges, Transmission of Private Resources into a New Sphere ('Resource Leak'), Improper Resource Shutdown or Release, Improper Access Control, Exposure of Sensitive Information to an Unauthorized Actor, Relative Path Traversal, Improper Neutralization of Escape, Meta, or Control Sequences, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'), Uncontrolled Resource Consumption, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Missing Authentication for Critical Function, Improper Check for Unusual or Exceptional Conditions Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-47704 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_res->hpo_dp_link_enc before using it [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57924 In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-617 Reachable Assertion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-58240 In the Linux kernel, the following vulnerability has been resolved: tls: separate no-async decryption request handling from async If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We should preferably also use a separate crypto_wait. I'm not seeing a UAF as I did in the past, I think aec7961916f3 ("tls: fix race between async notify and socket close") took care of it. This will make the next fix easier. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-6021 A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-6052 A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-7425 A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H CVE-2025-8916 Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-9230 Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-9231 Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-385 Covert Timing Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2025-9232 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-9820 A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-14831 A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-407 Inefficient Algorithmic Complexity Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-23143 In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/ ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-23160 In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization On Mediatek devices with a system companion processor (SCP) the mtk_scp structure has to be removed explicitly to avoid a resource leak. Free the structure in case the allocation of the firmware structure fails during the firmware initialization. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-31257 This issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L CVE-2025-37931 In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-37968 In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38322 In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38347 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38491 In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 process_backlog+0x301/0x1360 net/core/dev.c:6440 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 napi_poll net/core/dev.c:7517 [inline] net_rx_action+0xb44/0x1010 net/core/dev.c:7644 handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 do_softirq+0x3f/0x90 kernel/softirq.c:480 __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 local_bh_enable include/linux/bottom_half.h:33 [inline] inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 inet_release+0xed/0x200 net/ipv4/af_inet.c:435 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xd4 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38502 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-38552 In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an MP_FAIL option. The field 'allow_infinite_fallback' is now always touched under the relevant lock, we can drop the ONCE annotation on write. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2025-38614 In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38670 In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38676 In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-805 Buffer Access with Incorrect Length Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2025-38677 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x17e/0x800 mm/kasan/report.c:480 kasan_report+0x147/0x180 mm/kasan/report.c:593 data_blkaddr fs/f2fs/f2fs.h:3053 [inline] f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 prepare_write_begin fs/f2fs/data.c:3395 [inline] f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x546/0xa90 fs/read_write.c:686 ksys_write+0x149/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is in the corrupted image, there is a dnode has the same node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to access block address in dnode at offset 934, however it parses the dnode as inode node, so that get_dnode_addr() returns 360, then it tries to access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. To fix this issue, let's add sanity check for node id of all direct nodes during f2fs_get_dnode_of_data(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38679 In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38680 In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38681 In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-366 Race Condition within a Thread Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H CVE-2025-38683 In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-820 Missing Synchronization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2025-38684 In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2025-38685 In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point console and new frame buffer are mapped and sets display vars. Despite failure still it continue to proceed updating the screen at later stages where vc_data is related to previous frame buffer and frame buffer info and display vars are mapped to new frame buffer and eventully leading to out-of-bounds write in fast_imageblit(). This bheviour is excepted only when fg_console is equal to requested console which is a visible console and updates screen with invalid struct references in fbcon_putcs(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38687 In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38691 In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server. During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-908 Use of Uninitialized Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38693 In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38694 In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38695 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and early return because this situation means there must have been an error during port initialization. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38696 In the Linux kernel, the following vulnerability has been resolved: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Not all tasks have an ABI associated or vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL ABI pointer and crash. This can for example happen when using kunit: mips_stack_top+0x28/0xc0 arch_pick_mmap_layout+0x190/0x220 kunit_vm_mmap_init+0xf8/0x138 __kunit_add_resource+0x40/0xa8 kunit_vm_mmap+0x88/0xd8 usercopy_test_init+0xb8/0x240 kunit_try_run_case+0x5c/0x1a8 kunit_generic_run_threadfn_adapter+0x28/0x50 kthread+0x118/0x240 ret_from_kernel_thread+0x14/0x1c Only dereference the ABI point if it is set. The GIC page is also included as it is specific to the vDSO. Also move the randomization adjustment into the same conditional. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38697 In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38698 In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38699 In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL if probing fails. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-415 Double Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-38700 In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38701 In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-617 Reachable Assertion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38702 In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38706 In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On module removal the soc_tplg_remove_link() would call snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, no runtime was created. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38707 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38708 In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are completed. In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to kernel crashes with symptoms. Relevance: No one should use DRBD as a random data generator, and apparently all users of "two-primaries" handle concurrent writes correctly on layer up. That is cluster file systems use some distributed lock manager, and live migration in virtualization environments stops writes on one node before starting writes on the other node. Which means that other than for "test cases", this code path is never taken in real life. FYI, in DRBD 9, things are handled differently nowadays. We still detect "write conflicts", but no longer try to be smart about them. We decided to disconnect hard instead: upper layers must not submit concurrent writes. If they do, that's their fault. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38711 In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when linking with ReplaceIfExists If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen. ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remove_file() will then remove the file. ksmbd_vfs_link() will then be called while the parent is still locked. It will try to lock the same parent and will deadlock. This patch moves the ksmbd_vfs_kern_path_unlock() call to *before* ksmbd_vfs_link() and then simplifies the code, removing the file_present flag variable. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38712 In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_create_attributes_file() is called. Replace this BUG_ON() with -EIO error with a message to suggest running fsck tool. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38713 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) [ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 667.124890][ T9805] Call Trace: [ 667.124893][ T9805] [ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 [ 667.124911][ T9805] print_report+0xd0/0x660 [ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 [ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 [ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124942][ T9805] kasan_report+0xc6/0x100 [ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 [ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 [ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 [ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 [ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 [ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 [ 667.125022][ T9805] ? lock_acquire+0x30/0x80 [ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 [ 667.125044][ T9805] ? putname+0x154/0x1a0 [ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 [ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 [ 667.125069][ T9805] iterate_dir+0x296/0xb20 [ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 [ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 [ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 [ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 [ 667.125143][ T9805] do_syscall_64+0xc9/0x480 [ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 [ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 [ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 [ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 [ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 [ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 [ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 [ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 667.125207][ T9805] [ 667.125210][ T9805] [ 667.145632][ T9805] Allocated by task 9805: [ 667.145991][ T9805] kasan_save_stack+0x20/0x40 [ 667.146352][ T9805] kasan_save_track+0x14/0x30 [ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 [ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 [ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 [ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 [ 667.148174][ T9805] iterate_dir+0x296/0xb20 [ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.148937][ T9805] do_syscall_64+0xc9/0x480 [ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.149809][ T9805] [ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 [ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 [ 667.151282][ T9805] The buggy address is located 0 bytes to the right of [ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) [ 667.1 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38714 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 [ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 [ 174.854059][ T9784] [ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) [ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 174.854286][ T9784] Call Trace: [ 174.854289][ T9784] [ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 [ 174.854305][ T9784] print_report+0xd0/0x660 [ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 [ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 [ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854337][ T9784] kasan_report+0xc6/0x100 [ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 [ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 [ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 [ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 [ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 [ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 [ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 [ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 174.854436][ T9784] ? __asan_memset+0x23/0x50 [ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 [ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 [ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 [ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 [ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 [ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 [ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 [ 174.854525][ T9784] ? down_write+0x148/0x200 [ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 [ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 [ 174.854549][ T9784] do_unlinkat+0x490/0x670 [ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 [ 174.854565][ T9784] ? __might_fault+0xbc/0x130 [ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 [ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 [ 174.854592][ T9784] do_syscall_64+0xc9/0x480 [ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 [ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 [ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 [ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 [ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 [ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 [ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 174.854658][ T9784] [ 174.854661][ T9784] [ 174.879281][ T9784] Allocated by task 9784: [ 174.879664][ T9784] kasan_save_stack+0x20/0x40 [ 174.880082][ T9784] kasan_save_track+0x14/0x30 [ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 [ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 [ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 [ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 [ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 [ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38715 In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocated memory and triggering the crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38721 In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps prevents cnet->count from dropping back to 0. This will then block the netns dismantle (or conntrack rmmod) as nf_conntrack_cleanup_net_list() will wait forever. This can be reproduced by running conntrack_resize.sh selftest in a loop. It takes ~20 minutes for me on a preemptible kernel on average before I see a runaway kworker spinning in nf_conntrack_cleanup_net_list. One fix would to change this to: if (res < 0) { if (ct != last) nf_conntrack_get(&ct->ct_general); But this reference counting isn't needed in the first place. We can just store a cookie value instead. A followup patch will do the same for ctnetlink_exp_dump_table, it looks to me as if this has the same problem and like ctnetlink_dump_table, we only need a 'skip hint', not the actual object so we can apply the same cookie strategy there as well. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-772 Missing Release of Resource after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38723 In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset))" is a negative number, which is wrong. The final generated assembly are as follow. 54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c Before apply this patch, the follow test case will reveal soft lock issues. cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1 dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38724 In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38725 In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phydev->drv for non-main phy devices. Then NULL pointer dereference issue will occur. Due to only external phy or internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38727 In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304 Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code. Found by Linux Verification Center (linuxtesting.org). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38728 In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38729 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-38732 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Call Trace: nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline] .. This is because blamed commit forgot about loopback packets. Such packets already have a dst_entry attached, even at PRE_ROUTING stage. Instead of checking hook just check if the skb already has a route attached to it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-911 Improper Update of Reference Count Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.8 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H CVE-2025-38735 In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation is dispatched after shutdown(), it will dereference freed or NULL pointers, leading to a kernel panic. While graceful shutdown normally quiesces userspace before invoking the reboot syscall, forced shutdowns (as observed on GCP VMs) can still trigger this path. Fix by calling netif_device_detach() in shutdown(). This marks the device as detached so the ethtool ioctl handler will skip dispatching operations to the driver. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-664 Improper Control of a Resource Through its Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38736 In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39673 In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39675 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. This is similar to the commit c3e9826a2202 ("drm/amd/display: Add null pointer check for get_first_active_display()"). (cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39676 In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-394 Unexpected Status Code or Return Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39681 In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-369 Divide By Zero Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39682 In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-39683 In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39684 In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39685 In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39686 In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39687 In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39689 In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39691 In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2025-39692 In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39693 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39694 In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first page of the identity mapping. Fix this by introducing a function that handles the NULL case before address translation. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39697 In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfs_inode_remove_request() from succeeding until we actually lock the page group. The reason is that whoever called nfs_inode_remove_request() doesn't necessarily have a lock on the page group head. So in order to avoid races, let's take the page group lock earlier in nfs_lock_and_join_requests(), and hold it across the removal of the request in nfs_inode_remove_request(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39701 In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw: Changelog edits ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1025 Comparison Using Wrong Factors Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39702 In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-208 Observable Timing Discrepancy Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39703 In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef) [ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0 [ 45.402911] Call Trace: [ 45.403105] [ 45.404470] skb_push+0xcd/0xf0 [ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0 [ 45.406513] br_forward_finish+0x128/0x260 [ 45.408483] __br_forward+0x42d/0x590 [ 45.409464] maybe_deliver+0x2eb/0x420 [ 45.409763] br_flood+0x174/0x4a0 [ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0 [ 45.411618] br_handle_frame+0xac3/0x1230 [ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0 [ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0 [ 45.424478] __netif_receive_skb+0x22/0x170 [ 45.424806] process_backlog+0x242/0x6d0 [ 45.425116] __napi_poll+0xbb/0x630 [ 45.425394] net_rx_action+0x4d1/0xcc0 [ 45.427613] handle_softirqs+0x1a4/0x580 [ 45.427926] do_softirq+0x74/0x90 [ 45.428196] This issue was found by syzkaller. The panic happens in br_dev_queue_push_xmit() once it receives a corrupted skb with ETH header already pushed in linear data. When it attempts the skb_push() call, there's not enough headroom and skb_push() panics. The corrupted skb is put on the queue by HSR layer, which makes a sequence of unintended transformations when it receives a specific corrupted HSR frame (with incomplete TAG). Fix it by dropping and consuming frames that are not long enough to contain both ethernet and hsr headers. Alternative fix would be to check for enough headroom before skb_push() in br_dev_queue_push_xmit(). In the reproducer, this is injected via AF_PACKET, but I don't easily see why it couldn't be sent over the wire from adjacent network. Further Details: In the reproducer, the following network interface chain is set up: ┌────────────────┐ ┌────────────────┐ │ veth0_to_hsr ├───┤ hsr_slave0 ┼───┐ └────────────────┘ └────────────────┘ │ │ ┌──────┐ ├─┤ hsr0 ├───┐ │ └──────┘ │ ┌────────────────┐ ┌────────────────┐ │ │┌────────┐ │ veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ └┤ │ └────────────────┘ └────────────────┘ ┌┼ bridge │ ││ │ │└────────┘ │ ┌───────┐ │ │ ... ├──────┘ └───────┘ To trigger the events leading up to crash, reproducer sends a corrupted HSR fr ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1286 Improper Validation of Syntactic Correctness of Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39706 In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line debugfs_remove_recursive(entry->proc_dentry); tries to remove /sys/kernel/debug/kfd/proc/ while /sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel NULL pointer. (cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39709 In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39710 In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39713 In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow. Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock. This possible bug was found by an experimental static analysis tool developed by our team. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39714 In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39715 In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for user code to execute a LWS compare and swap operation at an address that is read protected at privilege level 3 (PRIV_USER). Fix this by probing read access rights at privilege level 3 and branching to lws_fault if access isn't allowed. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39716 In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege level 3 (PRIV_USER) and setting __gu_err to -EFAULT (-14) if access isn't allowed. Note the cmpiclr instruction does a 32-bit compare because COND macro doesn't work inside asm. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39718 In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-39719 In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39724 In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39736 In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may trigger netpoll, which eventually leads to __alloc_skb() and back into kmemleak code, attempting to reacquire kmemleak_lock. This is the path for the deadlock. mem_pool_alloc() -> raw_spin_lock_irqsave(&kmemleak_lock, flags); -> pr_warn_once() -> netconsole subsystem -> netpoll -> __alloc_skb -> __create_object -> raw_spin_lock_irqsave(&kmemleak_lock, flags); Fix this by setting a flag and issuing the pr_warn_once() after kmemleak_lock is released. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-833 Deadlock Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39737 In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The test system was running a workload with hot unplug happening in parallel. Then kemleak decided to disable itself due to its inability to allocate more kmemleak objects. The debug kernel has its CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. The soft lockup happened in kmemleak_do_cleanup() when the existing kmemleak objects were being removed and deleted one-by-one in a loop via a workqueue. In this particular case, there are at least 40,000 objects that need to be processed and given the slowness of a debug kernel and the fact that a raw_spinlock has to be acquired and released in __delete_object(), it could take a while to properly handle all these objects. As kmemleak has been disabled in this case, the object removal and deletion process can be further optimized as locking isn't really needed. However, it is probably not worth the effort to optimize for such an edge case that should rarely happen. So the simple solution is to call cond_resched() at periodic interval in the iteration loop to avoid soft lockup. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39738 In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7 item 86 key (594558976 169 0) itemoff 12566 itemsize 33 extent refs 1 gen 197522 flags 2 ref#0: tree block backref root 7 ... BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0 BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -117) WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs] And btrfs check doesn't report anything wrong related to the extent tree. [CAUSE] The cause is a little complex, firstly the extent tree indeed doesn't have the backref for 594526208. The extent tree only have the following two backrefs around that bytenr on-disk: item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33 refs 1 gen 197740 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33 refs 1 gen 197522 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE But the such missing backref item is not an corruption on disk, as the offending delayed ref belongs to subvolume 934, and that subvolume is being dropped: item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439 generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328 last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0 drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2 level 2 generation_v2 198229 And that offending tree block 594526208 is inside the dropped range of that subvolume. That explains why there is no backref item for that bytenr and why btrfs check is not reporting anything wrong. But this also shows another problem, as btrfs will do all the orphan subvolume cleanup at a read-write mount. So half-dropped subvolume should not exist after an RW mount, and balance itself is also exclusive to subvolume cleanup, meaning we shouldn't hit a subvolume half-dropped during relocation. The root cause is, there is no orphan item for this subvolume. In fact there are 5 subvolumes from around 2021 that have the same problem. It looks like the original report has some older kernels running, and caused those zombie subvolumes. Thankfully upstream commit 8d488a8c7ba2 ("btrfs: fix subvolume/snapshot deletion not triggered on mount") has long fixed the bug. [ENHANCEMENT] For repairing such old fs, btrfs-progs will be enhanced. Considering how delayed the problem will show up (at run delayed ref time) and at that time we have to abort transaction already, it is too late. Instead here we reject any half-dropped subvolume for reloc tree at the earliest time, preventing confusion and extra time wasted on debugging similar bugs. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39742 In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. This implies a possibility to get and divide-by-zero runtime error. Fix it by moving the check prior to division. This also helps to save one indentation level. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-369 Divide By Zero Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39743 In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode() because nrpages is greater than 0. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39749 In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code [1], it will invoke rcu_read_unlock_special(), which uses an irq-work handler to force the system to notice when the RCU read-side critical section actually ends. That end won't happen until interrupts are enabled at the soonest. In some kernels, such as those booted with rcutree.use_softirq=y, the irq-work handler is used unconditionally. The per-CPU rcu_data structure's ->defer_qs_iw_pending field is updated by the irq-work handler and is both read and updated by rcu_read_unlock_special(). This resulted in the following KCSAN splat: ------------------------------------------------------------------------ BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: rcu_read_unlock_special+0x175/0x260 __rcu_read_unlock+0x92/0xa0 rt_spin_unlock+0x9b/0xc0 __local_bh_enable+0x10d/0x170 __local_bh_enable_ip+0xfb/0x150 rcu_do_batch+0x595/0xc40 rcu_cpu_kthread+0x4e9/0x830 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: rcu_preempt_deferred_qs_handler+0x1e/0x30 irq_work_single+0xaf/0x160 run_irq_workd+0x91/0xc0 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 no locks held by irq_work/8/88. irq event stamp: 200272 hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 softirqs last disabled at (0): [<0000000000000000>] 0x0 ------------------------------------------------------------------------ The problem is that irq-work handlers run with interrupts enabled, which means that rcu_preempt_deferred_qs_handler() could be interrupted, and that interrupt handler might contain an RCU read-side critical section, which might invoke rcu_read_unlock_special(). In the strict KCSAN mode of operation used by RCU, this constitutes a data race on the ->defer_qs_iw_pending field. This commit therefore disables interrupts across the portion of the rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending field. This suffices because this handler is not a fast path. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39752 In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM. The trampoline code is written while secondary CPUs are powered on (at least that true for RK3188 CPU). Sometimes that leads to kernel hang. Probably because secondary CPU execute trampoline code while kernel doesn't expect. The patch moves SRAM initialization step to the point where all secondary CPUs are powered down. That fixes rarely hangs on RK3188: [ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 [ 0.091996] rockchip_smp_prepare_cpus: ncores 4 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-364 Signal Handler Race Condition Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39756 In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvmalloc() check if the requested size exceeds INT_MAX and emit a warning when the allocation is not flagged with __GFP_NOWARN. Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a process calls dup2(oldfd, 1073741880), the kernel attempts to allocate: - File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes - Multiple bitmaps: ~400MB - Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647) Reproducer: 1. Set /proc/sys/fs/nr_open to 1073741816: # echo 1073741816 > /proc/sys/fs/nr_open 2. Run a program that uses a high file descriptor: #include #include int main() { struct rlimit rlim = {1073741824, 1073741824}; setrlimit(RLIMIT_NOFILE, &rlim); dup2(2, 1073741880); // Triggers the warning return 0; } 3. Observe WARNING in dmesg at mm/slub.c:5027 systemd commit a8b627a introduced automatic bumping of fs.nr_open to the maximum possible value. The rationale was that systems with memory control groups (memcg) no longer need separate file descriptor limits since memory is properly accounted. However, this change overlooked that: 1. The kernel's allocation functions still enforce INT_MAX as a maximum size regardless of memcg accounting 2. Programs and tests that legitimately test file descriptor limits can inadvertently trigger massive allocations 3. The resulting allocations (>8GB) are impractical and will always fail systemd's algorithm starts with INT_MAX and keeps halving the value until the kernel accepts it. On most systems, this results in nr_open being set to 1073741816 (0x3ffffff8), which is just under 1GB of file descriptors. While processes rarely use file descriptors near this limit in normal operation, certain selftests (like tools/testing/selftests/core/unshare_test.c) and programs that test file descriptor limits can trigger this issue. Fix this by adding a check in alloc_fdtable() to ensure the requested allocation size does not exceed INT_MAX. This causes the operation to fail with -EMFILE instead of triggering a kernel warning and avoids the impractical >8GB memory allocation request. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39757 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39759 In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39760 In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39766 In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39770 In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers. The current GSO logic violates this contract by failing to disable the feature for packets with extension headers, such as those used in GREoIPv6 tunnels. This violation results in the device being asked to perform an operation it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse of network throughput. While device TSO/USO is correctly bypassed in favor of software GSO for these packets, the GSO stack must be explicitly told not to request checksum offload. Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4 in gso_features_check if the IPv6 header contains extension headers to compute checksum in software. The exception is a BIG TCP extension, which, as stated in commit 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"): "The feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices." kernel log output (truncated): WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140 ... Call Trace: skb_checksum_help+0x12a/0x1f0 validate_xmit_skb+0x1a3/0x2d0 validate_xmit_skb_list+0x4f/0x80 sch_direct_xmit+0x1a2/0x380 __dev_xmit_skb+0x242/0x670 __dev_queue_xmit+0x3fc/0x7f0 ip6_finish_output2+0x25e/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel] ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre] dev_hard_start_xmit+0x63/0x1c0 __dev_queue_xmit+0x6d0/0x7f0 ip6_finish_output2+0x214/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 inet6_csk_xmit+0xeb/0x150 __tcp_transmit_skb+0x555/0xa80 tcp_write_xmit+0x32a/0xe90 tcp_sendmsg_locked+0x437/0x1110 tcp_sendmsg+0x2f/0x50 ... skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00 skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00 skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00 skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00 skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00 skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9 skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01 skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-573 Improper Following of Specification by Caller Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39772 In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39773 In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39776 In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions. The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may end up running into the stale entry. This is happening in practice on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra debugging I added (it prints a warning trace if pgtables_bytes goes negative, in addition to the warning at check_mm() function): [ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000 [ 2.539366] kmem_cache info [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508 [ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e (...) [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0 [ 2.552816] Modules linked in: [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90 [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug) [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0 [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001 [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000 [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0 [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000 [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001 [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760 [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0 [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0 [ 2.553199] Call Trace: [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable) [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0 [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570 [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650 [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290 [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0 [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870 [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150 [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50 [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0 [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec (...) [ 2.558892] ---[ end trace 0000000000000000 ]--- [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1 [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144 Here the modprobe process ended up with an allocated mm_struct from the mm_struct slab that was used before by the debug_vm_pgtable test. That is not a problem, since the mm_stru ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39782 In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_resched() is true to avoid softlockups during prolonged operations. But jbd2_log_do_checkpoint() only exits its loop when need_resched() is true, relying on potentially sleeping functions like __flush_batch() or wait_on_buffer() to trigger rescheduling. If those functions do not sleep, the kernel may hit a softlockup. watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 Workqueue: writeback wb_workfn (flush-7:2) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : native_queued_spin_lock_slowpath+0x358/0x418 lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] Call trace: native_queued_spin_lock_slowpath+0x358/0x418 jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] add_transaction_credits+0x3bc/0x418 [jbd2] start_this_handle+0xf8/0x560 [jbd2] jbd2__journal_start+0x118/0x228 [jbd2] __ext4_journal_start_sb+0x110/0x188 [ext4] ext4_do_writepages+0x3dc/0x740 [ext4] ext4_writepages+0xa4/0x190 [ext4] do_writepages+0x94/0x228 __writeback_single_inode+0x48/0x318 writeback_sb_inodes+0x204/0x590 __writeback_inodes_wb+0x54/0xf8 wb_writeback+0x2cc/0x3d8 wb_do_writeback+0x2e0/0x2f8 wb_workfn+0x80/0x2a8 process_one_work+0x178/0x3e8 worker_thread+0x234/0x3b8 kthread+0xf0/0x108 ret_from_fork+0x10/0x20 So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid softlockup. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39783 In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driver which has a configfs attribute group is torn down: ================================================================== BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE Hardware name: Radxa ROCK 5B (DT) Call trace: show_stack+0x2c/0x84 (C) dump_stack_lvl+0x70/0x98 print_report+0x17c/0x538 kasan_report+0xb8/0x190 __asan_report_store8_noabort+0x20/0x2c pci_epf_remove_cfs+0x17c/0x198 pci_epf_unregister_driver+0x18/0x30 nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] __arm64_sys_delete_module+0x264/0x424 invoke_syscall+0x70/0x260 el0_svc_common.constprop.0+0xac/0x230 do_el0_svc+0x40/0x58 el0_svc+0x48/0xdc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ... Remove this incorrect list_del() call from pci_epf_remove_cfs(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39787 In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate over the header. e_phentsize and e_shentsize are validated as well, to ensure that the assumptions about step size in the traversal are valid. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39788 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour. Fix this by switching to the BIT() macro, which applies correct type casting as required. This ensures the correct value is written to UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift warning: UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 shift exponent 32 is too large for 32-bit type 'int' For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE write. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39790 In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-415 Double Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-39794 In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2025-39795 In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sectors, so change the check to be based on sectors. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39798 In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-273 Improper Check for Dropped Privileges Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39800 In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39801 In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_interrupt ->dwc3_ep0_interrupt ->configfs_composite_setup ->composite_setup ->usb_ep_queue ->dwc3_gadget_ep0_queue ->__dwc3_gadget_ep0_queue ->__dwc3_ep0_do_control_data ->dwc3_send_gadget_ep_cmd 2. Disconnect ========== ->dwc3_thread_interrupt ->dwc3_gadget_disconnect_interrupt ->dwc3_ep0_reset_state ->dwc3_ep0_end_control_data ->dwc3_send_gadget_ep_cmd In the issue scenario, in Exynos platforms, we observed that control transfers for the previous connect have not yet been completed and end transfer command sent as a part of the disconnect sequence and processing of USB_ENDPOINT_HALT feature request from the host timeout. This maybe an expected scenario since the controller is processing EP commands sent as a part of the previous connect. It maybe better to remove WARN_ON in all places where device endpoint commands are sent to avoid unnecessary kernel panic due to warn. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39806 In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39808 In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned when usb_rcvctrlpipe() use usb_dev,it trigger page fault error for address(0xffffffffffffff58) add null check logic to ntrig_report_version() before calling hid_to_usb_dev() View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39812 In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452 sctp_get_port net/sctp/socket.c:8523 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable addr.i.i created at: sctp_get_port net/sctp/socket.c:8515 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39813 In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) echo z > /proc/sysrq-trigger !trace_empty(&iter) trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipe trace_find_next_entry_inc(&iter) __find_next_entry ring_buffer_empty_cpu <- all empty return NULL trace_printk_seq(&iter.seq) WARN_ON_ONCE(s->seq.len >= s->seq.size) In the context between trace_empty() and trace_find_next_entry_inc() during ftrace_dump, the ring buffer data was consumed by other readers. This caused trace_find_next_entry_inc to return NULL, failing to populate `iter.seq`. At this point, due to the prior trace_iterator_reset, both `iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, the WARN_ON_ONCE condition is triggered. Move the trace_printk_seq() into the if block that checks to make sure the return value of trace_find_next_entry_inc() is non-NULL in ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before subsequent operations. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39817 In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39819 In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the reference to `cfile` should be dropped after calling this function. 2. Every control flow path would check and drop the reference to `cfile`, except the patched one. 3. Existing callers would not handle refcount update of `cfile` if -ENOMEM is returned. To fix the bug, an extra goto label "out" is added, to make sure that the cleanup logic would always be respected. As the problem is caused by the allocation failure of `vars`, the cleanup logic between label "finished" and "out" can be safely ignored. According to the definition of function `is_replayable_error`, the error code of "-ENOMEM" is not recoverable. Therefore, the replay logic also gets ignored. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39823 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39824 In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device. This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees. 0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection Below is the KASAN splat after triggering the UAF: [ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfre ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39825 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename(2) Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them from deferring closes, which increases the race window for potential concurrent opens on the target file. Fix this by unhashing the dentry in advance to prevent any concurrent opens on the target. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39826 In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues. This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39827 In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39828 In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first */ ... atm_kptr_t vcc; /* both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 Modules linked in: View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39835 In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape to userspace as "attribute not found" when in fact it's an IO (disk) error. At worst, we may oops in xfs_attr_leaf_get() when we do: error = xfs_attr_leaf_hasname(args, &bp); if (error == -ENOATTR) { xfs_trans_brelse(args->trans, bp); return error; } because an ENODATA/ENOATTR error from disk leaves us with a null bp, and the xfs_trans_brelse will then null-deref it. As discussed on the list, we really need to modify the lower level IO functions to trap all disk errors and ensure that we don't let unique errors like this leak up into higher xfs functions - many like this should be remapped to EIO. However, this patch directly addresses a reported bug in the xattr code, and should be safe to backport to stable kernels. A larger-scope patch to handle more unique errors at lower levels can follow later. (Note, prior to 07120f1abdff we did not oops, but we did return the wrong error code to userspace.) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39838 In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and returns NULL early to prevent dereferencing NULL pointer. Found by Linux Verification Center (linuxtesting.org) with SVACE View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39839 In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39841 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39842 In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocfs2_clear_inode()-> jbd2_journal_release_jbd_inode(osb->journal->j_journal, Adding osb->journal checks will prevent null-ptr-deref during the above execution path. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39843 In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, and try to hold the per_cpu(hrtimer_bases)[n].lock. Avoid deadlock caused by implicitly waking up kswapd by passing in allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the debug_objects_fill_pool() case. Inside stack depot they are processed by gfp_nested_mask(). Since ___slab_alloc() has preemption disabled, we mask out __GFP_DIRECT_RECLAIM from the flags there. The oops looks something like: BUG: spinlock recursion on CPU#3, swapper/3/0 lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3 Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT) Call trace: spin_bug+0x0 _raw_spin_lock_irqsave+0x80 hrtimer_try_to_cancel+0x94 task_contending+0x10c enqueue_dl_entity+0x2a4 dl_server_start+0x74 enqueue_task_fair+0x568 enqueue_task+0xac do_activate_task+0x14c ttwu_do_activate+0xcc try_to_wake_up+0x6c8 default_wake_function+0x20 autoremove_wake_function+0x1c __wake_up+0xac wakeup_kswapd+0x19c wake_all_kswapds+0x78 __alloc_pages_slowpath+0x1ac __alloc_pages_noprof+0x298 stack_depot_save_flags+0x6b0 stack_depot_save+0x14 set_track_prepare+0x5c ___slab_alloc+0xccc __kmalloc_cache_noprof+0x470 __set_page_owner+0x2bc post_alloc_hook[jt]+0x1b8 prep_new_page+0x28 get_page_from_freelist+0x1edc __alloc_pages_noprof+0x13c alloc_slab_page+0x244 allocate_slab+0x7c ___slab_alloc+0x8e8 kmem_cache_alloc_noprof+0x450 debug_objects_fill_pool+0x22c debug_object_activate+0x40 enqueue_hrtimer[jt]+0xdc hrtimer_start_range_ns+0x5f8 ... View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39844 In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // sync top level page tables in x86 r = vmemmap_populate(start, end, nid, altmap); In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c synchronizes the top level page table (See commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so that all tasks in the system can see the new vmemmap area. However, when vmemmap_can_optimize() returns true, the optimized path skips synchronization of top-level page tables. This is because vmemmap_populate_compound_pages() is implemented in core MM code, which does not handle synchronization of the top-level page tables. Instead, the core MM has historically relied on each architecture to perform this synchronization manually. We're not the first party to encounter a crash caused by not-sync'd top level page tables: earlier this year, Gwan-gyeong Mun attempted to address the issue [1] [2] after hitting a kernel panic when x86 code accessed the vmemmap area before the corresponding top-level entries were synced. At that time, the issue was believed to be triggered only when struct page was enlarged for debugging purposes, and the patch did not get further updates. It turns out that current approach of relying on each arch to handle the page table sync manually is fragile because 1) it's easy to forget to sync the top level page table, and 2) it's also easy to overlook that the kernel should not access the vmemmap and direct mapping areas before the sync. # The solution: Make page table sync more code robust and harder to miss To address this, Dave Hansen suggested [3] [4] introducing {pgd,p4d}_populate_kernel() for updating kernel portion of the page tables and allow each architecture to explicitly perform synchronization when installing top-level entries. With this approach, we no longer need to worry about missing the sync step, reducing the risk of future regressions. The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK, PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by vmalloc and ioremap to synchronize page tables. pgd_populate_kernel() looks like this: static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, p4d_t *p4d) { pgd_populate(&init_mm, pgd, p4d); if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) arch_sync_kernel_mappings(addr, addr); } It is worth noting that vmalloc() and apply_to_range() carefully synchronizes page tables by calling p*d_alloc_track() and arch_sync_kernel_mappings(), and thus they are not affected by ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39845 In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39846 In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39847 In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if allocation and compression succeed. At the call site, use the new_skb variable so the original skb is not lost when pad_compress_skb() fails. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-772 Missing Release of Resource after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39848 In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or not. Many thanks to Bernard Pidoux for his help, diagnosis and tests. We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()"). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39849 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39853 In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39857 In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: smc_hs_wq smc_listen_work [smc] RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] ... Call Trace: smcr_buf_map_link+0x211/0x2a0 [smc] __smc_buf_create+0x522/0x970 [smc] smc_buf_create+0x3a/0x110 [smc] smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] smc_listen_find_device+0x1dd/0x2b0 [smc] smc_listen_work+0x30f/0x580 [smc] process_one_work+0x18c/0x340 worker_thread+0x242/0x360 kthread+0xe7/0x220 ret_from_fork+0x13a/0x160 ret_from_fork_asm+0x1a/0x30 If the software RoCE device is used, ibdev->dma_device is a null pointer. As a result, the problem occurs. Null pointer detection is added to prevent problems. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39860 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in bt_accept_dequeue(): CPU1 CPU2 (close()) ---- ---- sock_hold(sk) sock_hold(sk); lock_sock(sk) <-- block close() sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- refcnt by bt_accept_enqueue() release_sock(sk) lock_sock(sk) sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- last refcnt bt_accept_unlink(sk) <-- UAF Depending on the timing, the other thread could show up in the "Freed by task" part. Let's call l2cap_sock_cleanup_listen() under lock_sock() in l2cap_sock_release(). [0]: BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:356 [inline] release_sock+0x21/0x220 net/core/sock.c:3746 bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x3ff/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 Allocated by task 5326: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4365 [inline] __kmalloc_nopro ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39864 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39865 In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39866 In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-40300 In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2025-43368 A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26, iOS 26 and iPadOS 26, macOS Tahoe 26. Processing maliciously crafted web content may lead to an unexpected Safari crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-47219 In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-48989 Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-53057 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-53066 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-55752 Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-23 Relative Path Traversal Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-55754 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2025-61748 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-61795 Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-2673 Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-21925 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-21932 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2026-21933 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-21945 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-400 Uncontrolled Resource Consumption Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21947 Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-22924 The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or perform unauthorized actions, potentially impacting system availability and integrity. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-22925 The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the service unavailable and cause denial-of-service conditions by overwhelming system resources. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28387 Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-28388 Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28389 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28390 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-31789 Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-31790 Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-032379 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-032379 advisory Legal Notice and Terms of Use

View CSAF Summary Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Ruggedcom Rox are affected: RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX MX5000RE vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1400 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1500 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1501 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1510 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1511 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1512 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1524 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1536 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX5000 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) CVSS Vendor Equipment Vulnerabilities v3 9.8 Siemens Siemens Ruggedcom Rox Uncontrolled Recursion, Integer Underflow (Wrap or Wraparound), Out-of-bounds Write, Out-of-bounds Read, Improper Input Validation, Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Use After Free, Improper Validation of Syntactic Correctness of Input, Improper Control of a Resource Through its Lifetime, Integer Overflow or Wraparound, Incorrect Calculation of Buffer Size, Use of Weak Hash, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Stack-based Buffer Overflow, Expired Pointer Dereference Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2019-13103 A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2019-13104 In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-13106 Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-14192 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an nc_input_packet call. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14193 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply, in the "if" block after calculating the new path length. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14194 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv2 case. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14195 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with unvalidated length at nfs_readlink_reply in the "else" block after calculating the new path length. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14196 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14197 An issue was discovered in Das U-Boot through 2019.07. There is a read of out-of-bounds data at nfs_read_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.0 9.1 CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2019-14198 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv3 case. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14199 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an *udp_packet_handler call. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14200 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: rpc_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14201 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14202 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_readlink_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14203 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_mount_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14204 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_umountall_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-10648 Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-2347 There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2022-30552 Das U-Boot 2022.01 has a Buffer Overflow. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-30790 Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-34835 In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-3019 A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2023-27043 The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-1286 Improper Validation of Syntactic Correctness of Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-3447 A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2024-22365 linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-664 Improper Control of a Resource Through its Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57256 An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2024-57258 Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2025-0395 When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-131 Incorrect Calculation of Buffer Size Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-3576 A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-328 Use of Weak Hash Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-6020 A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-7425 A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H CVE-2025-9714 Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-46836 net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVE-2025-49794 A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-825 Expired Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2025-49796 A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-577017 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-577017 advisory Legal Notice and Terms of Use

View CSAF Summary Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. The following versions of Siemens Industrial Devices are affected: IE/PB LINK HA (6GK1411-5BB00) vers:all/* (CVE-2025-40833) IE/PB link PN IO (6GK1411-5AB10) vers:all/* (CVE-2025-40833) RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) vers:intdot/<8.3 (CVE-2025-40833) RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M804PB (6GK5804-0AP00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-2 (6GK5874-2AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-3 (6GK5874-3AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-3 (6GK5876-3AA02-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (6GK5876-4AA10-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE SC622-2C (6GK5622-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC626-2C (6GK5626-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC632-2C (6GK5632-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC636-2C (6GK5636-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC642-2C (6GK5642-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC646-2C (6GK5646-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (6GK5763-1AL00-7DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (6GK5766-1GE00-7DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (6GK5766-1GE00-7TA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUB762-1 (6GK5762-1AJ00-1AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUB762-1 iFeatures (6GK5762-1AJ00-2AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (6GK5763-1AL00-3AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (6GK5763-1AL00-3DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (6GK5766-1GE00-3DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (USA) (6GK5766-1GE00-3DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE X204-2 (6GK5204-2BB10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2FM (6GK5204-2BB11-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2LD (6GK5204-2BC10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X204-2TS (6GK5204-2BB10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X206-1 (6GK5206-1BB10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X206-1LD (6GK5206-1BC10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X208 (6GK5208-0BA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X208PRO (6GK5208-0HA10-2AA6) vers:all/* (CVE-2025-40833) SCALANCE X212-2 (6GK5212-2BB00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X212-2LD (6GK5212-2BC00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X216 (6GK5216-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X224 (6GK5224-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3) vers:all/* (CVE-2025-40833) SCALANCE X304-2FE (6GK5304-2BD00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3 (6GK5307-3BL00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3 (6GK5307-3BL10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3LD (6GK5307-3BM00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3LD (6GK5307-3BM10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2 (6GK5308-2FL00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2 RD (inkl. SIPLUS variants) vers:all/* (CVE-2025-40833) SCALANCE X308-2LD (6GK5308-2FM00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LD (6GK5308-2FM10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH (6GK5308-2FN00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH (6GK5308-2FN10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2M (6GK5308-2GG00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M (6GK5308-2GG10-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M TS (6GK5308-2GG00-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M TS (6GK5308-2GG10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X310 (6GK5310-0FA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310 (6GK5310-0FA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310FE (6GK5310-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310FE (6GK5310-0BA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X320-1 FE (6GK5320-1BD00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X408-2 (6GK5408-2FD00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE XF204 (6GK5204-0BA00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF204-2 (6GK5204-2BC00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF206-1 (6GK5206-1BC00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF208 (6GK5208-0BA00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XM408-4C (6GK5408-4GP00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-8C (6GK5408-8GS00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM416-4C (6GK5416-4GS00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (6GK5528-0AA00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (6GK5552-0AA00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2) vers:all/* (CVE-2025-40833) SIMATIC CFU DIQ (6ES7655-5PX31-1XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC CFU PA (6ES7655-5PX11-0XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC CFU PA (6ES7655-5PX11-1XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP HA IM155-6 PN vers:intdot/<1.3 (CVE-2025-40833) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 412-2 PN V7 (6ES7412-2EK07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 414-3 PN/DP V7 (6ES7414-3EM07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 414F-3 PN/DP V7 (6ES7414-3FM07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 416-3 PN/DP V7 (6ES7416-3ES07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 416F-3 PN/DP V7 (6ES7416-3FS07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants) vers:intdot/<10.2 (CVE-2025-40833) SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants) vers:intdot/<8.3 (CVE-2025-40833) SIMIT UNIT V10 vers:all/* (CVE-2025-40833) SIMIT UNIT V11 vers:all/* (CVE-2025-40833) SINAMICS CBE20 vers:all/* (CVE-2025-40833) SINAMICS G115D vers:all/* (CVE-2025-40833) SINAMICS G120 (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SINAMICS G120C vers:all/* (CVE-2025-40833) SINAMICS G120D vers:all/* (CVE-2025-40833) SINAMICS G120X vers:all/* (CVE-2025-40833) SINAMICS G120XA vers:all/* (CVE-2025-40833) SINAMICS G130 vers:all/* (CVE-2025-40833) SINAMICS G150 vers:all/* (CVE-2025-40833) SINAMICS S110 vers:all/* (CVE-2025-40833) SINAMICS S120 (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SINAMICS S150 vers:all/* (CVE-2025-40833) SINUMERIK 840D sl vers:all/* (CVE-2025-40833) SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0) vers:all/* (CVE-2025-40833) SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0) vers:all/* (CVE-2025-40833) SIPLUS NET IE/PB link PN IO (6AG1411-5AB10-2AA0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-400 CPU 414-3 PN/DP V7 (6AG1414-3EM07-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-400 CPU 416-3 PN/DP V7 (6AG1416-3ES07-7AB0) vers:all/* (CVE-2025-40833) SITOP PSU8600 1AC 20 A/4x5 A PN (6EP3336-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 20 A PN (6EP3436-8SB00-2AY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 20 A/4x5 A PN (6EP3436-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A PN (6EP3437-8SB00-2AY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A/4x10 A PN (6EP3437-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A/4x10A EIP (6EP3437-8MB10-2CY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 10 A Ethernet/ PROFINET (6EP4134-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 20 A Ethernet/ PROFINET (6EP4136-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 40 A Ethernet/ PROFINET (6EP4137-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 EX 20 A Ethernet PROFINET (6EP4136-3AC00-2AY0) vers:all/* (CVE-2025-40833) CVSS Vendor Equipment Vulnerabilities v3 7.5 Siemens Siemens Industrial Devices NULL Pointer Dereference Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40833 The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system. View CVE Details Affected Products Siemens Industrial Devices Vendor: Siemens Product Version: IE/PB LINK HA (6GK1411-5BB00), IE/PB link PN IO (6GK1411-5AB10), RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2), SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2), SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2), SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2), SCALANCE M874-2 (6GK5874-2AA00-2AA2), SCALANCE M874-3 (6GK5874-3AA00-2AA2), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2), SCALANCE M876-3 (6GK5876-3AA02-2BA2), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2), SCALANCE M876-4 (6GK5876-4AA10-2BA2), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2), SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1), SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2), SCALANCE SC622-2C (6GK5622-2GS00-2AC2), SCALANCE SC626-2C (6GK5626-2GS00-2AC2), SCALANCE SC632-2C (6GK5632-2GS00-2AC2), SCALANCE SC636-2C (6GK5636-2GS00-2AC2), SCALANCE SC642-2C (6GK5642-2GS00-2AC2), SCALANCE SC646-2C (6GK5646-2GS00-2AC2), SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0), SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0), SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0), SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0), SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0), SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0), SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0), SCALANCE WAM763-1 (6GK5763-1AL00-7DA0), SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0), SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0), SCALANCE WAM766-1 (6GK5766-1GE00-7DA0), SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0), SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0), SCALANCE WAM766-1 EEC (6GK5766-1GE00-7TA0), SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0), SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0), SCALANCE WUB762-1 (6GK5762-1AJ00-1AA0), SCALANCE WUB762-1 iFeatures (6GK5762-1AJ00-2AA0), SCALANCE WUM763-1 (6GK5763-1AL00-3AA0), SCALANCE WUM763-1 (6GK5763-1AL00-3DA0), SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0), SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0), SCALANCE WUM766-1 (6GK5766-1GE00-3DA0), SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0), SCALANCE WUM766-1 (USA) (6GK5766-1GE00-3DB0), SCALANCE X204-2 (6GK5204-2BB10-2AA3), SCALANCE X204-2FM (6GK5204-2BB11-2AA3), SCALANCE X204-2LD (6GK5204-2BC10-2AA3), SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2), SCALANCE X204-2TS (6GK5204-2BB10-2CA2), SCALANCE X206-1 (6GK5206-1BB10-2AA3), SCALANCE X206-1LD (6GK5206-1BC10-2AA3), SCALANCE X208 (6GK5208-0BA10-2AA3), SCALANCE X208PRO (6GK5208-0HA10-2AA6), SCALANCE X212-2 (6GK5212-2BB00-2AA3), SCALANCE X212-2LD (6GK5212-2BC00-2AA3), SCALANCE X216 (6GK5216-0BA00-2AA3), SCALANCE X224 (6GK5224-0BA00-2AA3), SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3), SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3), SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3), SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3), SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3), SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3), SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3), SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3), SCALANCE X304-2FE (6GK5304-2BD00-2AA3), SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3), SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3), SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3), SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3), SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3), SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3), SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3), SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3), SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3), SCALANCE X307-3 (6GK5307-3BL00-2AA3), SCALANCE X307-3 (6GK5307-3BL10-2AA3), SCALANCE X307-3LD (6GK5307-3BM00-2AA3), SCALANCE X307-3LD (6GK5307-3BM10-2AA3), SCALANCE X308-2 (6GK5308-2FL00-2AA3), SCALANCE X308-2 RD (inkl. SIPLUS variants), SCALANCE X308-2LD (6GK5308-2FM00-2AA3), SCALANCE X308-2LD (6GK5308-2FM10-2AA3), SCALANCE X308-2LH (6GK5308-2FN00-2AA3), SCALANCE X308-2LH (6GK5308-2FN10-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3), SCALANCE X308-2M (6GK5308-2GG00-2AA2), SCALANCE X308-2M (6GK5308-2GG10-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2), SCALANCE X308-2M TS (6GK5308-2GG00-2CA2), SCALANCE X308-2M TS (6GK5308-2GG10-2CA2), SCALANCE X310 (6GK5310-0FA00-2AA3), SCALANCE X310 (6GK5310-0FA10-2AA3), SCALANCE X310FE (6GK5310-0BA00-2AA3), SCALANCE X310FE (6GK5310-0BA10-2AA3), SCALANCE X320-1 FE (6GK5320-1BD00-2AA3), SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3), SCALANCE X408-2 (6GK5408-2FD00-2AA2), SCALANCE XF204 (6GK5204-0BA00-2AF2), SCALANCE XF204-2 (6GK5204-2BC00-2AF2), SCALANCE XF206-1 (6GK5206-1BC00-2AF2), SCALANCE XF208 (6GK5208-0BA00-2AF2), SCALANCE XM408-4C (6GK5408-4GP00-2AM2), SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2), SCALANCE XM408-8C (6GK5408-8GS00-2AM2), SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2), SCALANCE XM416-4C (6GK5416-4GS00-2AM2), SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2), SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2), SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2), SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2), SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2), SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2), SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2), SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2), SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2), SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2), SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2), SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2), SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2), SCALANCE XR528-6M (6GK5528-0AA00-2AR2), SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2), SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2), SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2), SCALANCE XR552-12M (6GK5552-0AA00-2AR2), SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2), SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2), SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2), SIMATIC CFU DIQ (6ES7655-5PX31-1XX0), SIMATIC CFU PA (6ES7655-5PX11-0XX0), SIMATIC CFU PA (6ES7655-5PX11-1XX0), SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0), SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0), SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0), SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0), SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP HA IM155-6 PN, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0), SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0), SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0), SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0), SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0), SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0), SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0), SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0), SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0), SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0), SIMATIC S7-400 CPU 412-2 PN V7 (6ES7412-2EK07-0AB0), SIMATIC S7-400 CPU 414-3 PN/DP V7 (6ES7414-3EM07-0AB0), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (6ES7414-3FM07-0AB0), SIMATIC S7-400 CPU 416-3 PN/DP V7 (6ES7416-3ES07-0AB0), SIMATIC S7-400 CPU 416F-3 PN/DP V7 (6ES7416-3FS07-0AB0), SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants), SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants), SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants), SIMIT UNIT V10, SIMIT UNIT V11, SINAMICS CBE20, SINAMICS G115D, SINAMICS G120 (incl. SIPLUS variants), SINAMICS G120C, SINAMICS G120D, SINAMICS G120X, SINAMICS G120XA, SINAMICS G130, SINAMICS G150, SINAMICS S110, SINAMICS S120 (incl. SIPLUS variants), SINAMICS S150, SINUMERIK 840D sl, SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0), SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0), SIPLUS NET IE/PB link PN IO (6AG1411-5AB10-2AA0), SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0), SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0), SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0), SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0), SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0), SIPLUS S7-400 CPU 414-3 PN/DP V7 (6AG1414-3EM07-7AB0), SIPLUS S7-400 CPU 416-3 PN/DP V7 (6AG1416-3ES07-7AB0), SITOP PSU8600 1AC 20 A/4x5 A PN (6EP3336-8MB00-2CY0), SITOP PSU8600 3AC 20 A PN (6EP3436-8SB00-2AY0), SITOP PSU8600 3AC 20 A/4x5 A PN (6EP3436-8MB00-2CY0), SITOP PSU8600 3AC 40 A PN (6EP3437-8SB00-2AY0), SITOP PSU8600 3AC 40 A/4x10 A PN (6EP3437-8MB00-2CY0), SITOP PSU8600 3AC 40 A/4x10A EIP (6EP3437-8MB10-2CY0), SITOP UPS1600 10 A Ethernet/ PROFINET (6EP4134-3AB00-2AY0), SITOP UPS1600 20 A Ethernet/ PROFINET (6EP4136-3AB00-2AY0), SITOP UPS1600 40 A Ethernet/ PROFINET (6EP4137-3AB00-2AY0), SITOP UPS1600 EX 20 A Ethernet PROFINET (6EP4136-3AC00-2AY0) Product Status: known_affected Remediations Mitigation As a mitigation, disable the ethernet ports on the CPU and use a communication module (like CP) for communication instead Mitigation Restrict access to the affected systems to trusted IP addresses only No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V10.2 or later version https://support.industry.siemens.com/cs/ww/en/view/109773044/ Vendor fix Update to V2.0.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109781049/ Vendor fix Update to V2.0.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109754628/ Vendor fix Update to V3.2.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109992747/ Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Vendor fix Update to V8.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109476571/ Vendor fix Update to V8.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109989310/ Vendor fix Update to V1.3 or later version Vendor fix https://support.industry.siemens.com/cs/ww/en/view/1029552/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-392349 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-392349 advisory Legal Notice and Terms of Use

View CSAF Summary The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. The following versions of Siemens SIPROTEC 5 are affected: SIPROTEC 5 6MD84 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 6MD85 (CP200) vers:all/* () SIPROTEC 5 6MD85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD86 (CP200) vers:all/* () SIPROTEC 5 6MD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD89 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MU85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7KE85 (CP200) vers:all/* () SIPROTEC 5 7KE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SA84 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA87 (CP200) vers:all/* () SIPROTEC 5 7SA87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SD84 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD87 (CP200) vers:all/* () SIPROTEC 5 7SD87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ85 (CP200) vers:all/* () SIPROTEC 5 7SJ85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ86 (CP200) vers:all/* () SIPROTEC 5 7SJ86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SK85 (CP200) vers:all/* () SIPROTEC 5 7SK85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SL86 (CP200) vers:all/* () SIPROTEC 5 7SL86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL87 (CP200) vers:all/* () SIPROTEC 5 7SL87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SS85 (CP200) vers:all/* () SIPROTEC 5 7SS85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST85 (CP200) vers:all/* () SIPROTEC 5 7ST85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST86 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SY82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UM85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UT85 (CP200) vers:all/* () SIPROTEC 5 7UT85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT86 (CP200) vers:all/* () SIPROTEC 5 7UT86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT87 (CP200) vers:all/* () SIPROTEC 5 7UT87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VK87 (CP200) vers:all/* () SIPROTEC 5 7VK87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VU85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 Compact 7SX800 (CP050) vers:intdot/<11.0 (CVE-2024-54017) CVSS Vendor Equipment Vulnerabilities v3 5.3 Siemens Siemens SIPROTEC 5 Small Space of Random Values Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-54017 Affected devices do not use sufficiently random values to create session identifiers. This could allow an unauthenticated remote attacker to brute force a session identifier and gain read access to limited information from the web server without authorization. View CVE Details Affected Products Siemens SIPROTEC 5 Vendor: Siemens Product Version: SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050) Product Status: known_affected, known_not_affected Remediations None available Currently no fix is available Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814150/ Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109757433/ Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109796884/ Relevant CWE: CWE-334 Small Space of Random Values Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. SEC Consult Vulnerability Lab reported this vulnerability to Siemens. General Recommendations Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-786884 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-786884 advisory Legal Notice and Terms of Use

Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices  Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it  Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners:  Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) Germany Federal Office for the Protection of the Constitution -   Bundesamt für Verfassungsschutz (BfV) Germany Federal Intelligence Service – Bundesnachrichtendienst (BND) Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI) Japan National Cybersecurity Office (NCO) - 国家サイバー統括室 Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD) Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD) New Zealand National Cyber Security Centre (NCSC-NZ) Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN) Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE) United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Federal Bureau of Investigation (FBI) United States National Security Agency (NSA)  Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity.  Introduction   Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.  The NCSC believes that the majority of China-nexus threat actors are using these networks (hereafter “covert networks”), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.  Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage.  The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.   This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective advice for organizations being targeted by cyber activity using a covert network as an access vector. Covert Networks  Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. Actors have been observed using them for each phase of their Cyber Kill Chains, from performing scans as part of reconnaissance, to the delivery of malware, communicating with said malware, and exfiltrating stolen data from a victim. They can also be used for general deniable internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims without attribution. Some covert networks are also used by legitimate customers to browse the internet, making it challenging to attribute malicious activity.  There is evidence that covert networks used by China-nexus actors are created and maintained by Chinese information security companies. A network known to network defenders as Raptor Train, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Chinese company, Integrity Technology Group. This company was also assessed by the FBI to be responsible for the computer intrusion activities attributed to China-based hackers known as Flax Typhoon.  Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks – NCSC Director of Operations, Paul Chichester  Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale. Raptor Train was made up of thousands of SOHO routers and IoT devices, such as web cameras and video recorders, as well as firewalls and Network Attached Storage (NAS) devices. The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers. The edge devices were vulnerable because they were “end of life” – out of date and no longer receiving updates or security patches by their manufacturers.  The cyber security industry has been aware of examples of these networks for some time and has publicly reported on the widespread scale of the threat and its implications. Mandiant Intelligence produced a public blog in May 2024 talking about covert networks in which they highlighted a key issue for defenders – indicator of compromise (IOC) Extinction. If a particular threat group could now come from one of many covert networks, each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective. This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.  Typical Network Topology The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.  Because of this, a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date – and for most network defenders would not be practically useful.  However, most covert networks of compromised devices use the same basic set up. Understanding this generalized structure can aid researchers and defenders by helping them to understand which part of a network they may have found, and how to defend against it.  A diagram illustrating the basic setup of a covert network. The diagram above illustrates the basic setup of a covert network, where typically an actor will connect to the network via an on-ramp or entry node. Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic region as the target.  Protective Advice  Defending from attackers using covert networks is not straightforward, and defensive tactics will be different based on the levels of resource and the nature of the target organization. General advice for good cyber security practice should be followed, and some key messages can be found in the appendix of this advisory.   The following advice is specifically tailored to steps which can be taken to combat the risk of attacks coming from large, dynamic networks of compromised devices.  Further guidance for all organizations facing cyber security threats is available on the NCSC website.  This guidance should be considered alongside all applicable laws and regulations of the UK and co-sealing countries relating to the security of networks and data. It will be each organization’s responsibility to ensure compliance with any such laws and regulations. Organizations should note that following the recommended actions set out below will not remove all risks. All organizations The NCSC recommends the following steps for all affected organizations to either take themselves, or ask their managed service and/or security providers to investigate for them:  Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connecting to them. Baseline normal connections, especially to corporate virtual private networks (VPNs) or other similar services. Would you expect connections from consumer broadband ranges? Leverage available dynamic threat feeds which include covert network infrastructure. Implement multifactor authentication for remote connections. Smaller organizations should consider creating and actioning a free NCSC Cyber Action Toolkit.  Larger or more at-risk organizations Some more comprehensive measures may be appropriate if the risk to an organization is high enough, to be conducted either in-house or through a security provider:   Apply IP address allow lists rather than deny lists for connections to corporate VPNs for remote workers. Use geographic allow lists or profile incoming connections based on operating system, time zones, and/or organization specific system configuration settings. Implement zero trust policies for connections. Enforce machine certificates for Secure Sockets Layer (SSL) connections. Reduce the internet-facing presence of the IT estate. Investigate machine learning techniques to profile normal network edge activity to detect and block anomalies.  The NCSC's Cyber Essentials can help protect organizations of all sizes.  Largest or most at-risk organizations  If Advanced Persistent Threat (APT) tracking is part of an organization’s in-house capability, or if it is part of the service provided by a security vendor, consider tracking China-nexus covert networks as APTs in their own right. Active hunting – look for connections from IP addresses likely to be part of a covert network of compromised devices, for instance those hosting SOHO routers or IoT devices. Track and map covert networks reported by industry or government by looking at banners and certificates. Use threat reporting and threat feeds to create and implement dynamic blocklists and create alert rules to detect incoming threats. Consider using NetFlow feeds to look upstream and map covert networks to find new nodes.  The NCSC Cyber Assessment Framework provides guidance for organizations under the highest levels of threat, including those operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.   MITRE ATT&CK®  This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  Tactic  ID  Technique  Procedure  Resource Development  T1584.005  Compromise Infrastructure: Botnet  Botnets are used as core components of covert networks  Resource Development  T1584.008  Compromise Infrastructure: Network Devices  Devices are compromised and added to botnets  Resource Development  T1583.003  Acquire Infrastructure: Virtual Private Server  Virtual private servers (VPS) are used in covert networks, typically as on-ramps  Command and Control  T1090.003  Proxy: Multi-hop Proxy  Used by China-nexus cyber actors to route traffic   Appendix: Cyber Security Best Practices  In addition to the protective advice outlined in this advisory, a number of cyber security best practices will also be useful in defending against the activity described in this advisory.  Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC Guidance: https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software Prevent and detect lateral movement in your organization’s networks. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement Implement architectural controls for network segregation. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-network-security Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes and https://www.ncsc.gov.uk/information/logging-made-easy Use modern systems and software. These have better security built-in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC Guidance:  https://www.ncsc.gov.uk/collection/mobile-device-guidance/managing-the-risks-from-obsolete-products Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points such as third-party systems with onward access to your core network. During an incident, disable remote access from third-party systems until you are sure they are clean. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security. Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets. Further information: Invest in preventing malware-based attacks across various scenarios.  See NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks  Disclaimer   This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by co-sealers. UK readers should refer to the NCSC website for information about NCSC assured services.  This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.   Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.   All material is UK Crown Copyright ©

Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. Note: The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions. The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. Key Actions for U.S. FCEB Agencies Collect and submit core dumps to CISA’s Malware Next Generation platform. Immediately report the submission via CISA’s 24/7 Operations Center; CISA will reach out with next steps. Take no additional action until CISA provides further guidance. Key Actions for All Other Organizations Use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device. Report any findings to CISA or the NCSC. If compromise is confirmed, conduct incident response actions. Intended Audience Organizations: Government and critical infrastructure organizations (Note: While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) Sector: Government Services and Facilities Sector Roles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators Introduction The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. For more information on this campaign, see CISA’s original version of Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices (released Sept. 25, 2025). CISA and the NCSC assess that FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. U.S. Federal Civilian Executive Branch (FCEB) agencies are required to implement the new required actions in CISA’s updated Emergency Directive (V1: ED 25-03). CISA and the NCSC urge other U.S. and U.K. organizations to use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device and report any findings to CISA or the NCSC. Organizations can also refer to Cisco’s Security Advisory and Talos Blog. Download the PDF version of this report: AR26-113A_MAR_FIRESTARTER_backdoor_ (PDF, 604.62 KB ) For a downloadable copy of the YARA rules associated with this malware, see: FIRESTARTER_STIX (JSON, 24.27 KB ) FIRESTARTER Collection CISA is authorized to monitor for, analyze, and notify U.S. FCEB agencies of anomalous or suspected malicious activity detected on federal networks. Through continuous monitoring, CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample—named FIRESTARTER—on the Firepower device. In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device. Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates. Threat Actor Activity  Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See Appendix A: MITRE ATT&CK Techniques for tables mapping the cyber actors’ activity to MITRE ATT&CK tactics and techniques. CISA’s analysis identified the following: Initial Access: CISA assesses, but has not confirmed, that APT actors obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362 [T1190]. CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03. Privilege Escalation and Defense Evasion: CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [T1133] that bypassed all VPN authentication policies. This activity was associated with user accounts that existed but were no longer active within the agency [T1078]. Although this behavior was observed in this incident, threat actors may use other (including fabricated) accounts. LINE VIPER enabled APT actors access to all configuration elements of the victim Firepower device, including administrative credentials, certificates, and private keys [T1082]. Persistence: APT actors deployed FIRESTARTER on the Firepower device before Sept. 25, 2025 (exact date is unknown). Because it was present before patching, FIRESTARTER persisted through remediation and established command and control (C2) channels on the victim Firepower device [T1219]. APT actors leveraged FIRESTARTER to regain access without re-exploiting the original vulnerabilities and deployed LINE VIPER in March 2026. Malware Summary FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control. The malware achieves persistence by detecting termination signals and relaunching itself, and it can survive firmware updates and device reboots unless a hard power cycle occurs. FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER. Note: The file CISA obtained for analysis was named lina_cs; filenames may vary, as threat actors can easily modify the name of the malicious file. Malware Functionality Initialization Upon execution, FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the device [T1036.005] and copies its contents into memory. It then registers a callback function that triggers when the program receives any of the following termination-related signals [T1546.004]: SIGTERM SIGINT SIGQUIT SIGABRT SIGHUP SIGTSTP After copying itself into heap, and updating the signal handlers, the shell executor initiates the following sequential commands: rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chmod 755 /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chown‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null rm /usr/bin/lina_cs 2>/dev/null These commands delete the modified CSP_MOUNT_LIST file [T1070.004] restoring the original CSP_MOUNT_LIST. Execute permissions are granted to any user, the owner and timestamp are set to match the original [T1070.006], and the temporary file is then deleted. Finally, /usr/bin/lina_cs is deleted. Persistence and Shutdown Task When any of these signals are received or runlevel (6) is reached, the callback function is triggered and first checks whether the /opt/cisco/platform/logs/var/log/ directory exists. If absent, it creates the directory with full read/write/execute permissions [T1222]. The callback then opens /opt/cisco/platform/logs/var/log/svc_samcore.log and writes a copy of itself to this file, which is in a reboot-persistent directory. Next, the callback verifies whether /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST is present on the device. If the file is missing, FIRESTARTER creates it using a special function that can run shell commands [T1059]. After creating the file, the malware runs a series of callback commands (in sequential order) to establish persistence and manage its files: cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null chown ‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null Append the contents below to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST mv /opt/cisco/platform/logs/var/log/svc_samcore.log /usr/bin/lina_cs chmod 755 /usr/bin/lina_cs lina_cs & These commands first create a temporary copy of CSP_MOUNT_LIST with the same ownership information and timestamps. A script is appended to CSP_MOUNT_LIST. This script is the persistence mechanism, which moves FIRESTARTER from its staging location, svc_samcore.log, to /usr/bin/lina_cs. It then makes it executable and runs it in the background [T1547]. This sequence ensures persistent execution of the file, even when termination signals are received. All commands redirect any standard error (stderr) messages to /dev/null and hides them from the console [T1564]. Memory Scanning and Hook Installation The process enumerates LINA’s virtual memory map to locate the private read-write (rw-p) segment associated with lina [T1057], which represents the main process’s writable data region. Once identified, this memory segment is parsed using a custom algorithm to locate the XML Handler element table. The algorithm inspects each 0x260-byte region for element IDs. After identifying five element IDs in the correct offset sequence (each separated by 0x260 bytes), it calculates and stores the handler pointer address for the seventeenth element. Shellcode Injection FIRESTARTER scans LINA’s memory to locate the executable (r-xp) segment of libstdc++.so, which corresponds to the C++ standard library’s code section. The malware injects a block of shellcode 0x200 bytes before the end of the library’s text segment, installing the detour for the XML element handler [T1055]. The process then resumes its main loop and continues operating until it detects a reboot runlevel or the termination-related signals. Victim Identification and Stage Loading The FIRESTARTER malware closely mirrors the RayInitiator Cisco ASA bootkit stage 3 deploy path. The injected shellcode is triggered when LINA processes a WebVPN request containing the XML tag with the detoured handler. Within the <group-select> element, the malware searches for a hard-coded 8-byte ASCII string unique to the installation, verifying it against a predefined value embedded in the shellcode. Additionally, a victim-specific ID—another hard-coded 8-byte sequence—is compared against WebVPN request elements until a match is found. Upon successful verification of identification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code [T1543]. Detection U.S. FCEB Agency Instructions The primary detection method for FIRESTARTER is memory analysis. In accordance with V1: ED 25-03, all U.S. FCEB agencies are required to collect device core dumps and submit them to CISA’s Malware Next Generation (MNG) platform (see Incident Response section), which analyzes core dumps for the presence and behavior of the lina_cs binary. U.S. FCEB agencies should not take further action without first consulting CISA. To preserve evidence, avoid any hard power cycles and other changes (e.g., reboots, patching, configuration changes) before collection and coordination, as these can affect volatile artifacts. Other U.S. and U.K. Recommendations CISA and the NCSC recommend using the following CISA-created YARA rules to detect FIRESTARTER when applied to a disk image or a core dump from a device: To obtain a disk image, open a Cisco Technical Assistance Center (TAC) case. For instructions on obtaining a core dump, see CISA’s Supplemental Direction for ED 25-03. Note: CISA recommends following this Supplemental Direction rather than other open source resources, as APT actors commonly employ anti-forensic techniques. YARA Rules See Table 1 for a list of FIRESTARTER YARA rules. Table 1. YARA Rules FIRESTARTER Rule 1 rule CISA_261290_01 : FIRESTARTER backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {  meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknown"       description = "Detects CISCO Firepower FIRESTARTER injector samples"   strings:        $s1 = { 57 48 C1 EF 0C 48 C1 E7 0C BA 07 00 00 00 48 C7 C6 00 20 00 00 }        $s2 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 70 6c 61 74 66 6f 72 6d 2f 6c 6f 67 73 2f 76 61 72 2f 6c 6f 67 2f }        $s3 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 63 6f 6e 66 69 67 2f 70 6c 61 74 66 6f 72 6d 2f 72 6d 64 62 2f }        $s4 = { 2f 76 61 72 2f 72 75 6e 2f 72 75 6e 6c 65 76 65 6c}        $s5 = { 2f 70 72 6f 63 2f 25 73 2f 63 6f 6d 6d }        $s6 = { 2f 70 72 6f 63 2f 25 64 2f 6d 61 70 73 }        $s7 = { 2f 61 73 61 2f 62 69 6e 2f 6c 69 6e 61 }   condition:        5 of them } FIRESTARTER Rule 2 rule CISA_261290_02 : FIRESTARTER_shellcode backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {   meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknownk"       description = "Detects CISCO Firepower FIRESTARTER_shellcode samples"    strings:        $1 = { 57 4C 8B 47 18 4D 85 C0 0F 84 C7 01 00 00 49 8B 38 48 85 FF }        $2 = { 48 83 C6 08 4C 39 C6 0F 87 7A 01 00 00 4C 8B 0E }        $3 = { 48 89 D7 4C 89 CE B9 D0 01 00 F3 A4 48 89 D7 57 48 C1 EF 0C 48 C1 E7 0C }        $4 = { 0F 05 58 5F FF E0 90 90 }    condition:        3 of them } Sigma Rules Given the nature of this malware, Sigma rules do not offer effective detection because it does not generate observable log events or behavioral anomalies in standard monitoring platforms. Incident Response U.S. FCEB Agencies CISA requires U.S. FCEB agencies to: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and submit it through CISA’s Malware Next Generation platform. Report the submission immediately via CISA’s 24/7 Operations Center (contact@cisa.dhs.gov, 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System). Identify the activity is related to FIRESTARTER. After incident intake, CISA will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by CISA. Other U.S. Organizations CISA recommends organizations take the following actions: Although applicable to U.S. FCEB agencies, refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. U.S. organizations can submit core dumps through CISA’s Malware Next Generation platform. If the core dump indicates the presence of FIRESTARTER malware, proceed with steps 3 and 4 below; additionally, activate internal incident response plans to assess potential lateral movement and impact: Unplug the device from all power sources—CISA assesses this is the only method to remove FIRESTARTER’s persistence from a device—then conduct the following steps: Locate the physical device. Unplug the physical device from its power source while the device is still powered on. Note: It is not sufficient to power the device off or reboot it. The device must be entirely removed from all power sources, including duplicate power sources created for redundancy. Leave the device fully disconnected from any power source for one minute. Reconnect the device to its power source and allow it to reboot. Promptly report any detection of FIRESTARTER malware to CISA. U.S. organizations can report to CISA’s 24/7 Operations Center (contact@cisa.dhs.gov, 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System). Requests for assistance can also be submitted to CISA via this reporting channel. U.K. Organizations The NCSC recommends U.K. organizations take the following actions: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. If FIRESTARTER is detected, report an incident to the NCSC via https://report.ncsc.gov.uk. After reporting an incident, the NCSC will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by the NCSC. Mitigations CISA and the NCSC recommend all organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections recommended for all organizations. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections. Maintain all systems and software with the latest security patches, prioritizing expedited remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [CPG 2.B]. At the time of ED 25-03’s release (Sept. 25, 2025), available patches did not specifically remediate FIRESTARTER; although patching mitigated initial access, it did not eliminate this persistence mechanism. For additional information on software updates that prevent FIRESTARTER’s persistence and for remediation guidance, refer to Cisco’s Security Advisory. Inventory all network edge devices [CPG 2.A], with a specific focus on Cisco devices. Monitor these devices for any suspicious network connections that correlate with the activity described in this report. Monitor and audit activity for all accounts with elevated privileges, including network administrators and service accounts, to detect unauthorized use or anomalous behavior. For example, track and review commands executed by these accounts, and promptly investigate any suspicious activity identified. Apply the principle of least privilege and restrict service accounts to needed permissions only [CPG 3.H]. Regularly rotate passwords for privileged accounts (such as network administrators) and service accounts. Routine password changes invalidate credentials that threat actors may have compromised, forcing them to reestablish access and increasing the likelihood of detection or disruption. While not specific to FIRESTARTER, modernize administrative access controls by implementing TACACS+ over TLS 1.3. This approach encrypts device administration Authentication, Authorization, and Accounting traffic, safeguards administrator and service account credentials, and reduces the risk of interception [CPG 3.K]. See Cisco’s blog, Modernizing TACACS+: Why Full-Session Encryption Matters More Than Ever. Disclaimer CISA and the NCSC do not endorse any commercial entity, product, company, or service, including any entities, products, companies, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA or the NCSC. Acknowledgements Cisco contributed to this Malware Analysis Report. Version History April 23, 2026: Initial version. Appendix A: MITRE ATT&CK Techniques See Table 2 through Table 7 all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 2. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The APT actors gained access to the victim’s Cisco Firepower device, likely by exploiting CVE-2025-20333 and/or CVE-2025-20362. Table 3. Execution Technique Title ID Use Command and Scripting Interpreter T1059 FIRESTARTER uses a special function to run shell commands that create /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST if it is missing. FIRESTARTER runs callback commands to manage its files. Table 4. Persistence Technique Title ID Use Create or Modify System Process T1543 FIRESTARTER invokes mprotect to enable execution of newly injected code. Event Triggered Execution: Unix Shell Configuration Modification T1546.004 FIRESTARTER registers a callback function that is automatically triggered when the program receives any of the following termination-related signals: SIGTERM, SIGINT, SIGQUIT, SIGABRT, SIGHUP, or SIGTSTP. Boot or Logon Autostart Execution T1547 Persistence is maintained by modifying a boot-time configuration/mount script so FIRESTARTER runs on startup. External Remote Services T1133 The APT actors used LINE VIPER to establish illegitimate VPN sessions. Valid Accounts T1078 The APT actors used valid user accounts for their illegitimate VPN sessions (the user accounts belonged to former employees). Table 5. Defense Evasion Technique Title ID Use File and Directory Permissions Modification T1222 FIRESTARTER creates the /opt/cisco/platform/logs/var/log/ directory with full read/write/execute permissions.  FIRESTARTER uses chown and chmod to modify file permissions. Hide Artifacts: Hidden Users T1564 FIRESTARTER redirects standard error (stderr) messages to /dev/null and hides them from the console. Indicator Removal on Host: File Deletion T1070.004 FIRESTARTER deletes the following files: CSP_MOUNT_LIST, CSP_MOUNT_LIST.tmp, and /usr/bin/lina_cs. Indicator Removal on Host: Timestomp T1070.006 FIRESTARTER uses touch -r to copy timestamps from original files to modified and temporary ones, explicitly to match the original. Masquerading: Match Legitimate Resource Name or Location T1036.005 FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the victim device. Process Injection T1055 FIRESTARTER injects shellcode into a library’s code section before the start of the text segment. Table 6. Discovery Technique Title ID Use Process Discovery T1057 FIRESTARTER enumerates LINA’s virtual memory map to locate the private read-write (rw-p) segment associated with lina. System Information Discovery T1082 The APT actors used LINE VIPER to access Cisco Firepower device configuration elements, including administrative credentials, certificates, and private keys. Table 7. Command and Control Technique Title ID Use Remote Access Tools T1219 FIRESTARTER is a Linux ELF designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control.

Blockstream’s Adam Back discusses why people think he’s Satoshi Nakamoto, while the CEO of OKX Europe said MiCA is “extremely beneficial” for the industry at the latest LONGITUDE event in Paris.

BIS general manager Pablo Hernández de Cos said US dollar stablecoins may pose risks to financial stability and urges stronger global coordination on regulation.

Poland’s parliament has once again failed to overturn President Karol Nawrocki’s veto of the crypto regulation bill.

Individuals and groups would be required to register with the Bank of Russia before offering certain crypto services, or potentially face fines and prison time.

Need to know what happened in crypto today? Here is the latest news on daily trends and events impacting Bitcoin price, blockchain, DeFi, NFTs, Web3 and crypto regulation.

View CSAF Summary Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - RTUM85 for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE - RTUM85 Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens SICAM 8 Products are affected: CPCI85 Central Processing/Communication vers:intdot/<26.10 (CVE-2026-27663, CVE-2026-27664) RTUM85 RTU Base vers:intdot/<26.10 (CVE-2026-27663) SICORE Base system vers:intdot/<26.10.0 (CVE-2026-27664) CVSS Vendor Equipment Vulnerabilities v3 7.5 Siemens Siemens SICAM 8 Products Allocation of Resources Without Limits or Throttling, Out-of-bounds Write Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-27663 The affected application contains denial-of-service (DoS) vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjected to a high volume of requests. Sending multiple requests can exhaust resources, preventing parameterization and requiring a reset or reboot to restore functionality. View CVE Details Affected Products Siemens SICAM 8 Products Vendor: Siemens Product Version: CPCI85 Central Processing/Communication, RTUM85 RTU Base Product Status: known_affected Remediations Vendor fix Update to V26.10 or later version The firmware RTUM85 V26.10 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240 Vendor fix Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27664 The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition. View CVE Details Affected Products Siemens SICAM 8 Products Vendor: Siemens Product Version: CPCI85 Central Processing/Communication, SICORE Base system Product Status: known_affected Remediations Vendor fix Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/ Vendor fix Update to V26.10.0 or later version The firmware SICORE V26.10.0 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments T. Weber, S. Dietz, D. Blagojevic, and F. Koroknai of CyberDanube coordinated disclosure of CVE-2026-27663 S. Dietz of CyberDanube and VERBUND Digital Power coordinated disclosure of CVE-2026-27664 S. Dietz of Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-246443 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Publication Date 2026-04-02 2 Initial CISA Republication of Siemens ProductCERT SSA-246443 advisory Legal Notice and Terms of Use

View CSAF Summary Schneider Electric is aware of a vulnerability in its EcoStruxure™ Automation Expert product. The EcoStruxure™ Automation Expert product is plant automation software designed for digital control systems in discrete, hybrid and continuous industrial processes. A totally integrated automation solution designed to enhance your flexibility, efficiency and scalability. Failure to apply the remediation provided below may risk execution of arbitrary commands on the engineering workstation, which could result in a potential compromise of full system. The following versions of Schneider Electric EcoStruxure Automation Expert are affected: EcoStruxure™ Automation Expert vers:intdot/<25.0.1, 25.0.1 CVSS Vendor Equipment Vulnerabilities v3 8.2 Schneider Electric Schneider Electric EcoStruxure Automation Expert Improper Control of Generation of Code ('Code Injection') Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2026-2273 CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file. View CVE Details Affected Products Schneider Electric EcoStruxure Automation Expert Vendor: Schneider Electric Product Version: EcoStruxure™ Automation Expert Versions prior to v25.0.1 Product Status: fixed, known_affected Remediations Vendor fix Version v25.0.1 of EcoStruxure™ Automation Expert includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/23643079-ecostruxure-automation-expert/ https://www.se.com/ww/en/product-range/23643079-ecostruxure-automation-expert/ Mitigation If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Solution and archive files must be stored within the user’s home directory or in any location protected by appropriate Windows file‑system access controls to prevent unauthorized access in multi‑user environments. Users who choose to store files outside their home directory are responsible for applying restrictive Windows permissions to secure those locations. Before opening any solution or archive file, users are required to verify its authenticity and ensure that it has not been modified by unauthorized users. For detailed mitigation steps, refer to the User Manual - https://product-help.se.com/EcoStruxure%20Automation%20Expert/25.0/Offer%20Guides/en-US/EAE_UM?t=EAE_UM%2FSolutionIntegrity-FE037ED3.html%3Frhhlterm%3Dundefined%253Frhsearch%253Dundefined&theme=Help https://product-help.se.com/EcoStruxure%20Automation%20Expert/25.0/Offer%20Guides/en-US/EAE_UM?t=EAE_UM%2FSolutionIntegrity-FE037ED3.html%3Frhhlterm%3Dundefined%253Frhsearch%253Dundefined&theme=Help Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Acknowledgments Schneider Electric CPCERT reported this vulnerability to CISA. Raffaele Bova of Nozomi Networks reported this vulnerability to Schneider Electric. General Security Recommendations We strongly recommend the following industry cybersecurity best practices. * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document. For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electric's products, visit the company's cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp LEGAL DISCLAIMER THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION About Schneider Electric Schneider's purpose is to create Impact by empowering all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On. Our mission is to be the trusted partner in Sustainability and Efficiency. We are a global industrial technology leader bringing world-leading expertise in electrification, automation and digitization to smart industries, resilient infrastructure, future-proof data centers, intelligent buildings, and intuitive homes. Anchored by our deep domain expertise, we provide integrated end-to-end lifecycle AI enabled Industrial IoT solutions with connected products, automation, software and services, delivering digital twins to enable profitable growth for our customers. We are a people company with an ecosystem of 150,000 colleagues and more than a million partners operating in over 100 countries to ensure proximity to our customers and stakeholders. We embrace diversity and inclusion in everything we do, guided by our meaningful purpose of a sustainable future for all. www.se.com Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Schneider Electric CPCERT SEVD-2026-069-04 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Schneider Electric CPCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-03-10 Date Revision Summary 2026-03-10 1 Original Release 2026-03-19 2 Initial CISA Republication of Schneider Electric CPCERT SEVD-2026-069-04 advisory Legal Notice and Terms of Use

Multiple vulnerabilities have been discovered in Cisco Catalyst SD-WAN products, the most severe of which could allow for authentication bypass. Cisco Catalyst SD-WAN (formerly Viptela) is a secure, cloud-delivered software-defined WAN architecture that optimizes application performance by intelligently routing traffic over any combination of transport links (MPLS, broadband, LTE). Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.