PatchSiren cyber security CVE debrief
CVE-2025-39692 Cert Portal CVE debrief
CVE-2025-39692 is a medium-severity Linux kernel SMB server issue involving ksmbd RDMA teardown ordering. The advisory says that destroying the smb_direct_wq workqueue before stop_sessions() can leave existing connections trying to use a NULL pointer, which can disrupt availability. The CISA CSAF source maps this issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but that product mapping is low-confidence and should be reviewed against Siemens documentation before acting on it as an exact asset match.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators and administrators responsible for Siemens SIMATIC CN 4100 deployments, especially environments that may use Linux SMB/ksmbd RDMA functionality. Security teams tracking embedded Linux updates and availability-impacting kernel fixes should also review it.
Technical summary
The source describes a teardown sequencing flaw in ksmbd RDMA handling: ksmbd_rdma_destroy() should not destroy the smb_direct_wq workqueue before stop_sessions() completes. If the workqueue is destroyed too early, already-established connections may later reference smb_direct_wq as NULL. The supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local, availability-focused impact.
Defensive priority
Moderate. The issue is rated CVSS 5.5 (MEDIUM) and is primarily an availability risk, but it affects session teardown in a core service path. Prioritize if the affected Siemens product is deployed and SMB/ksmbd RDMA is in use.
Recommended defensive actions
- Update to Siemens SIMATIC CN 4100 V5.0 or later, per the supplied remediation guidance.
- Verify whether the affected product mapping applies to your asset inventory before scheduling remediation, since the vendor/product confidence is low.
- Review whether SMB/ksmbd RDMA functionality is enabled on the affected systems and document exposure.
- Track Siemens and CISA advisory updates for any product-specific clarifications or revised applicability.
- Apply standard availability safeguards for OT/ICS systems while planning maintenance windows for kernel or firmware updates.
Evidence notes
All substantive claims in this debrief come from the supplied CISA CSAF source item and its embedded remediation guidance. The source explicitly states the kernel issue and the NULL-pointer risk during existing connections, and it recommends updating to V5.0 or later. The vendor/product mapping to Siemens SIMATIC CN 4100 vers:intdot/<5.0 is included in the source corpus but flagged with low confidence, so it should be treated as advisory context rather than fully verified asset attribution.
Official resources
-
CVE-2025-39692 CVE record
CVE.org
-
CVE-2025-39692 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the source advisory on 2026-05-12 and republished it on 2026-05-14; those dates are the correct disclosure context for this CVE. Do not infer a different issue date from generation or review time.