PatchSiren cyber security CVE debrief
CVE-2025-39694 Cert Portal CVE debrief
CVE-2025-39694 is a high-severity vulnerability described in the Linux kernel s390/sclp tracing path: a NULL SCCB address is checked after physical-to-virtual translation, which can cause the check to fail when the kernel identity mapping does not start at zero. The result may be incorrect access to the first page of the identity mapping. The supplied advisory set was published by CISA on 2026-05-12 and republished on 2026-05-14. The source corpus also links the CVE to Siemens SIMATIC CN 4100 versions earlier than V5.0, but the underlying vulnerability text is Linux-kernel-specific, so applicability should be manually verified before actioning remediation.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Security and operations teams responsible for Siemens SIMATIC CN 4100 deployments, and any Linux s390 environments that use SCLP interrupt handling or related tracing code. Because the source corpus contains a product-description mismatch, asset owners should validate whether the advisory applies to their environment before scheduling remediation.
Technical summary
The issue is caused by performing the SCCB NULL check after translating a physical SCCB address into a virtual address. If the identity mapping does not begin at address zero, a NULL physical address does not translate to a zero virtual address, so the early-exit logic can be bypassed. That can lead to incorrect access to the first page of the identity mapping. The cited fix introduces handling for the NULL case before address translation.
Defensive priority
High. Validate exposure promptly and apply the vendor remediation if the Siemens advisory applies to your asset. Treat the source linkage as important but not fully resolved because of the Linux-kernel-vs-product-description inconsistency in the supplied corpus.
Recommended defensive actions
- Confirm whether the affected asset matches Siemens SIMATIC CN 4100 versions earlier than V5.0 and whether the advisory is applicable in your environment.
- Apply the Siemens remediation to update to V5.0 or later, per the supplied advisory reference.
- If you operate Linux s390 systems, review kernels and build baselines that include SCLP interrupt tracing logic and prioritize patching where the issue is present.
- Use CISA industrial control system defense-in-depth guidance and related recommended practices to reduce operational impact while remediation is planned.
Evidence notes
The supplied CISA CSAF entry states: 'In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check...' and describes a NULL-check timing flaw after address translation. The same source item, however, associates the CVE with Siemens SIMATIC CN 4100 vers:intdot/<5.0. Because the advisory content and product header do not fully align, the vendor/product scope should be treated as needing manual review. CVSS vector supplied in the corpus is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2025-39694 CVE record
CVE.org
-
CVE-2025-39694 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public debrief prepared from the supplied CISA CSAF source and official reference links only. No exploit instructions or reproduction guidance are included. The product linkage in the corpus appears uncertain and should be validated against