PatchSiren cyber security CVE debrief
CVE-2025-39673 Cert Portal CVE debrief
CVE-2025-39673 is a concurrency bug in the Linux kernel PPP forwarding path that can lead to a kernel panic or other denial-of-service condition. The supplied advisory text says the issue comes from unsafe access to the PPP channel list in ppp_fill_forward_path(), including a race between list_empty() and list_first_entry() and a separate NULL-dereference risk when pch->chan is cleared before list removal. The documented fix moves the code to an RCU-safe approach and adds a NULL check.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Security and platform teams responsible for Siemens SIMATIC CN 4100 deployments identified in the advisory, Linux kernel maintainers, and operators of systems that rely on PPP forwarding paths where an unexpected kernel panic would disrupt availability.
Technical summary
The vulnerability is an availability-impacting race condition in ppp_fill_forward_path(). According to the source description, the code can observe a non-empty ppp->channels list and then race with channel removal before list_first_entry() uses it, creating a possible access to an empty list head or freed entry. A second race occurs because pch->chan may be set to NULL before the channel structure is removed from the list, which can lead to a NULL dereference. The fix described in the advisory uses list_first_or_null_rcu(), converts list updates on ppp->channels to RCU variants, adds synchronize_net() after removal, and checks pch->chan before dereferencing it.
Defensive priority
Medium. The CVSS score provided in the source is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), so the primary concern is availability. Priority should rise if the affected product is in production or if a crash would interrupt critical networking or industrial operations.
Recommended defensive actions
- Verify whether any deployed Siemens SIMATIC CN 4100 systems are running a version earlier than V5.0.
- Apply the vendor remediation listed in the advisory: update to V5.0 or later.
- If you maintain downstream Linux kernel builds, confirm the PPP forwarding-path race fix is included in your kernel package or backport set.
- Validate PPP-dependent network paths after updating, especially on systems where a kernel panic would affect service availability.
- Track reboot/crash indicators on affected devices and keep a rollback plan for maintenance windows.
Evidence notes
The supplied source material ties the CVE to a Siemens/CISA advisory and also describes the flaw as a Linux kernel PPP race condition. That means the product mapping should be treated cautiously and verified against the vendor advisory and deployment inventory. The timeline fields supplied with the source show publication on 2026-05-12 and a CISA republication/revision on 2026-05-14; those dates are used here as the advisory timing context, not as generation dates.
Official resources
-
CVE-2025-39673 CVE record
CVE.org
-
CVE-2025-39673 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-26-134-10 on 2026-05-12, with a CISA republication/revision recorded on 2026-05-14.