PatchSiren cyber security CVE debrief
CVE-2025-39676 Cert Portal CVE debrief
CVE-2025-39676 is a Linux kernel issue in the qla4xxx SCSI path where an error pointer could be propagated where NULL was expected, leading to a caller Oops. The source advisory was republished by CISA in an ICS context and lists Siemens SIMATIC CN 4100 versions before 5.0 as the affected product scope, but the technical flaw described is in the Linux kernel driver logic. The documented remediation is to update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and integrators tracking Siemens advisory ICSA-26-134-10, especially environments that include Siemens SIMATIC CN 4100 software or firmware versions before 5.0, plus Linux kernel maintainers and administrators responsible for systems using the qla4xxx driver.
Technical summary
The advisory states that qla4xxx_get_ep_fwdb() is expected to return NULL on error, but qla4xxx_ep_connect() can return error pointers instead. Passing those pointers onward can cause an Oops in the caller. The fix changes the error return handling so the caller receives NULL rather than an error pointer. The published CVSS vector indicates local attack conditions with high availability impact and no confidentiality or integrity impact.
Defensive priority
Medium priority. The issue is described as an availability problem rather than a code-execution flaw, but an Oops can still disrupt affected systems. Apply vendor remediation during normal maintenance, sooner for systems where uptime is critical.
Recommended defensive actions
- Update to Siemens SIMATIC CN 4100 V5.0 or later, as specified in the source advisory.
- Confirm whether your environment actually uses the affected Siemens product scope and/or the Linux qla4xxx path referenced by the advisory.
- Review kernel and system logs for Oops or unexpected crashes associated with qla4xxx activity.
- Use your normal change-control and recovery planning for any firmware or software update affecting industrial or embedded systems.
- Apply general ICS defense-in-depth practices and limit unnecessary exposure of management and maintenance interfaces.
Evidence notes
The debrief is based on the source item description and notes, which explicitly say: the qla4xxx_get_ep_fwdb() function should return NULL on error, qla4xxx_ep_connect() returns error pointers, and propagating them can lead to an Oops. The source item metadata also includes Siemens ProductCERT references, the CISA ICS advisory ICSA-26-134-10, the CVE record, and a vendor remediation to update to V5.0 or later. No KEV entry was supplied.
Official resources
-
CVE-2025-39676 CVE record
CVE.org
-
CVE-2025-39676 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the source advisory on 2026-05-12 and republished by CISA on 2026-05-14. No KEV designation was provided in the supplied corpus.