PatchSiren cyber security CVE debrief
CVE-2025-39691 Cert Portal CVE debrief
CVE-2025-39691 describes a Linux kernel filesystem bug that CISA’s advisory maps to Siemens SIMATIC CN 4100 versions before 5.0. The reported impact is a kernel memory-safety failure in the bh_read() path that can surface as a KASAN-detected stack out-of-bounds condition during NTFS3 mount activity. The supplied CVSS 3.1 vector is 4.4 (Medium), with a local attack requirement and high privileges needed, so this is best treated as a targeted stability and availability issue for affected OT/Linux deployments rather than a remote wormable flaw.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators of Siemens SIMATIC CN 4100 systems, OT/ICS security teams, and anyone responsible for Linux kernel maintenance on affected devices should review this issue. It is most relevant where privileged local access exists and filesystem mount activity may reach the vulnerable code path.
Technical summary
The advisory says the Linux kernel fs/buffer fix addresses a lifetime bug when calling bh_read(). In the reported NTFS3 mount scenario, mpage_read_folio() passes a stack buffer_head (map_bh) into ntfs_get_block_vbo(), and later end_buffer_read_sync() may call put_bh() after the stack object is no longer valid, producing a use-after-free/stack-out-of-bounds condition. The notes also state that if the buffer head belongs to a folio, drop_buffers() will not free locked buffers, which is why the fix moves put_bh() before __end_buffer_read_notouch(). CISA’s CSAF maps the advisory to Siemens SIMATIC CN 4100 vers:intdot/<5.0 and lists CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
Medium. The flaw is locally reachable and requires high privileges, but it affects a kernel code path on an OT-related product line and can cause system instability or denial of service.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, per the vendor remediation.
- Verify asset inventories to confirm whether any deployed systems match the affected product/version mapping before scheduling maintenance.
- Restrict and monitor privileged local access on affected systems because the advisory’s attack vector is local and requires high privileges.
- Prioritize patching where filesystem mount operations are operationally important or where a kernel crash would disrupt production.
- Track Siemens and CISA advisory updates for any product-mapping clarifications or follow-on guidance.
Evidence notes
The supplied CSAF source (ICSA-26-134-10, republished by CISA on 2026-05-14) states that the Linux kernel issue occurs during NTFS3 mount processing and can lead to a KASAN-detected stack out-of-bounds condition in end_buffer_read_sync(). The same source notes the fix is to call put_bh() before __end_buffer_read_notouch() and recommends updating Siemens SIMATIC CN 4100 to V5.0 or later. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.4). No KEV entry is present in the supplied enrichment.
Official resources
-
CVE-2025-39691 CVE record
CVE.org
-
CVE-2025-39691 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-39691 was published in the supplied source corpus on 2026-05-12 and modified on 2026-05-14, with CISA republishing Siemens ProductCERT advisory material on the later date. The supplied enrichment marks the issue as not in KEV.