PatchSiren cyber security CVE debrief
CVE-2025-39693 Cert Portal CVE debrief
CVE-2025-39693 is a medium-severity availability issue published by CISA on 2026-05-12 and republished with Siemens ProductCERT material on 2026-05-14. The supplied advisory says the fix is to update Siemens SIMATIC CN 4100 to V5.0 or later. The underlying technical issue described in the record is a NULL pointer dereference risk in Linux kernel drm/amd/display code.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Owners and operators of Siemens SIMATIC CN 4100 deployments, especially teams responsible for patching, asset inventory, and validation in industrial environments. Linux kernel maintainers and integrators should also note the code-level NULL dereference described in the advisory record.
Technical summary
The source corpus describes a kernel-level NULL pointer dereference condition in drm/amd/display. Specifically, drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can reportedly return NULL, and the fix is to check the return values before dereference. The CVSS vector in the supplied data is AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access with some privileges and an availability impact only.
Defensive priority
Medium. The impact is availability-focused and the CVSS score is 4.7, but the advisory is tied to industrial-control product guidance and should be handled through vendor-recommended updating and validation.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, per the Siemens remediation guidance in the supplied advisory.
- Verify whether your deployment matches the affected product scope before scheduling maintenance or applying updates.
- Review the Siemens and CISA advisory references for any deployment-specific instructions or constraints.
- Track affected assets for any crashes or service interruptions consistent with a NULL pointer dereference until remediation is complete.
- Confirm there is no CISA KEV listing in your internal prioritization flow for this CVE, based on the supplied data.
Evidence notes
The source metadata contains a mismatch: the CVE description references a Linux kernel drm/amd/display fix, while the advisory metadata and remediation point to Siemens SIMATIC CN 4100 and Siemens ProductCERT advisory SSA-032379. Because of this inconsistency, the product association should be treated as low-confidence and verified against the official Siemens/CISA references before operational action.
Official resources
-
CVE-2025-39693 CVE record
CVE.org
-
CVE-2025-39693 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied CISA CSAF source on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT advisory material. No CISA KEV date is present in the supplied corpus.