PatchSiren cyber security CVE debrief
CVE-2025-39682 Cert Portal CVE debrief
CVE-2025-39682 describes a Linux kernel TLS receive-path bug that is triggered by a corner case involving zero-length records already queued on rx_list. The advisory text says recvmsg() is supposed to process contiguous DATA records or a single non-DATA record, and that record-type changes should stop the loop. The fix addresses the case where the first record comes from rx_list and is zero-length. In the supplied advisory metadata, Siemens SIMATIC CN 4100 versions earlier than 5.0 are called out for remediation.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators responsible for Siemens SIMATIC CN 4100 systems covered by the advisory, especially where the product line depends on the Linux kernel TLS receive path. Security teams should also review any environment that consumes the same vendor firmware or software branch and confirm whether the published remediation applies.
Technical summary
The kernel TLS receive logic distinguishes between DATA and non-DATA records during recvmsg() handling. If a record has already been decrypted, the code may queue pending work on rx_list for the next recvmsg() call. The corner case described in the source is when processing starts with a zero-length record pulled from rx_list. The vulnerability was fixed by correcting handling of that edge condition so record-type transitions are managed consistently without relying on an skb path that is unavailable after zero-copy decryption.
Defensive priority
High. The issue is network-relevant, unauthenticated, and vendor remediation is available, but the supplied CVSS vector also indicates high attack complexity. Prioritize validation and patching on affected Siemens systems.
Recommended defensive actions
- Update to Siemens SIMATIC CN 4100 V5.0 or later, per the vendor remediation listed in the advisory.
- Inventory Siemens SIMATIC CN 4100 deployments and confirm whether any affected versions earlier than 5.0 are in use.
- Review exposure of TLS-enabled services or workflows that rely on the impacted kernel receive path.
- Track the CISA/Siemens advisory pair for any revision updates and re-evaluate scope if the vendor mapping changes.
- Document compensating controls and maintenance windows for systems that cannot be updated immediately.
Evidence notes
Timing is based on the supplied CVE and source item dates: published 2026-05-12 and modified 2026-05-14. The source item is a CISA CSAF advisory (ICSA-26-134-10) republishing Siemens ProductCERT advisory SSA-032379. The advisory metadata maps the issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, while the description itself identifies the underlying defect in Linux kernel TLS handling of zero-length records on rx_list. The supplied enrichment marks the issue as not in KEV.
Official resources
-
CVE-2025-39682 CVE record
CVE.org
-
CVE-2025-39682 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied source on 2026-05-12 and revised on 2026-05-14. The supplied enrichment does not list the issue in CISA KEV.