PatchSiren cyber security CVE debrief
CVE-2025-39689 Cert Portal CVE debrief
CVE-2025-39689 describes a Linux kernel ftrace memory-safety flaw in the filter-file read path. The vulnerable code reused a pointer to global tracer hash state across lock-dropping operations, which could allow use-after-free conditions if the hash changed concurrently. The fix is to allocate and copy the hash for reads, matching the safer writer behavior and simplifying cleanup.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, distro security teams, and operators of systems that rely on ftrace tracing interfaces. If you consume the supplied CISA/Siemens advisory mapping, verify the product scope carefully because the source metadata and the CVE text do not cleanly align.
Technical summary
According to the source description, readers of set_ftrace_filter and set_ftrace_notrace previously attached a pointer to the global tracer hash to their iterator rather than taking a copy. Because the iterator can outlive lock-held sections while the global tracer hashes may be updated by other code, that shared pointer could become stale, creating a use-after-free or similar memory corruption bug. The resolved change makes reads behave like writes: allocate and copy the hash for the filter-file iterator, removing the lifetime hazard and reducing special-case cleanup logic.
Defensive priority
High. The supplied CVSS vector is 7.8/HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and the issue affects kernel memory handling in a core tracing path. Prioritize patch validation on any kernel builds that include the affected ftrace code path, especially where local users may interact with tracing interfaces.
Recommended defensive actions
- Confirm whether your kernel build includes the CVE-2025-39689 ftrace fix for reading set_ftrace_filter and set_ftrace_notrace.
- Apply the vendor or distribution update that copies the tracer hash for filter-file readers.
- Where the supplied advisory mapping applies, update to V5.0 or later as listed in the remediation guidance.
- Verify backport status in your asset inventory so patched and unpatched kernel builds are clearly distinguished.
- Reassess access controls and monitoring around kernel tracing interfaces, especially on systems with local user access.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-134-10 and the embedded CVE text. That text says the reader path for set_ftrace_filter and set_ftrace_notrace reused a pointer to the global tracer hash across lock-releasing calls, which could trigger UAF-like bugs, and that the fix is to allocate and copy the hash for reads. The supplied metadata also associates the advisory with Siemens SIMATIC CN 4100 and a V5.0-or-later remediation, but that product mapping appears inconsistent with the Linux-kernel vulnerability description and should be treated as low-confidence until independently verified. Public timeline in the corpus: initial publication 2026-05-12 and republished 2026-05-14.
Official resources
-
CVE-2025-39689 CVE record
CVE.org
-
CVE-2025-39689 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA on 2026-05-12 as ICSA-26-134-10 and republished on 2026-05-14. The source corpus describes a Linux kernel ftrace memory-safety issue, while the supplied advisory metadata also references Siemens SIMATIC CN 4100; verify the