PatchSiren cyber security CVE debrief
CVE-2025-39681 Cert Portal CVE debrief
Published on 2026-05-12 and modified on 2026-05-14, CVE-2025-39681 describes a Linux kernel defect in Hygon x86 boot initialization. A missing resctrl_cpu_detect() call can leave cache-monitoring state uninitialized, leading to a division-by-zero fault during early boot on systems with X86_FEATURE_CQM* support. The impact described in the supplied corpus is availability-only and can prevent affected machines from booting cleanly.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, distro and embedded Linux operators using Hygon x86 CPUs, and teams responsible for boot reliability on systems that expose resctrl/CQM monitoring features.
Technical summary
The supplied CVE text says resctrl_cpu_detect() was moved into vendor-specific BSP initialization code, but the Hygon path did not include that call. On affected Hygon systems with X86_FEATURE_CQM* support, get_rdt_mon_resources() may read boot_cpu_data.x86_cache_occ_scale before it is initialized and then divide by zero while calculating mon_l3_config. The provided CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, availability-focused issue.
Defensive priority
Medium. Prioritize patching if you run Linux on Hygon-based x86 hardware with resctrl/CQM features enabled, especially where a boot failure would disrupt production or recovery access.
Recommended defensive actions
- Apply the upstream Linux kernel fix that restores resctrl_cpu_detect() in the Hygon BSP init path.
- Upgrade to a kernel build that includes the resolved patch and verify normal boot on representative affected hardware.
- If you operate Hygon-based systems in production, stage the update and ensure console or out-of-band recovery access before rollout.
- Review whether your deployed kernels and hardware actually expose X86_FEATURE_CQM* and resctrl features so you can scope exposure accurately.
Evidence notes
The supplied source item and CVE description both state that the issue is in the Linux kernel and that the failure is triggered during early boot when Hygon-specific BSP init omits resctrl_cpu_detect(). The corpus also includes a CISA/CSAF advisory record with a Siemens SIMATIC CN 4100 product label and a Siemens remediation pointer, but that product mapping conflicts with the Linux-kernel Hygon description. Because of that mismatch, this debrief treats the CVE text as the authoritative technical description and flags the vendor/product mapping as low confidence and needing review. The supplied data shows no KEV listing.
Official resources
-
CVE-2025-39681 CVE record
CVE.org
-
CVE-2025-39681 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied corpus on 2026-05-12 and updated on 2026-05-14. No KEV entry is present in the provided enrichment.