PatchSiren cyber security CVE debrief
CVE-2025-39697 Cert Portal CVE debrief
CVE-2025-39697 describes a race condition in Linux kernel NFS write handling. The flaw centers on lock timing around request removal and page-group locking, which can allow a request state change to race with update logic and create an availability impact. The supplied CISA/Siemens material maps this to Siemens SIMATIC CN 4100 versions earlier than 5.0, but that product attribution should be treated cautiously because the technical description is kernel-centric.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
System owners and patch managers for Siemens SIMATIC CN 4100 deployments, embedded Linux maintainers, and operational teams responsible for systems that consume the affected Linux kernel NFS code path.
Technical summary
According to the supplied advisory text, nfs_lock_and_join_requests() checks whether a write request is still attached to the mapping, but nfs_inode_remove_request() can still succeed before the page-group lock is actually taken. The fix is to take the page-group lock earlier in nfs_lock_and_join_requests() and hold it across request removal in nfs_inode_remove_request(), preventing the race window.
Defensive priority
Medium. The supplied CVSS score is 4.7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating a local, higher-complexity issue with availability impact. Prioritize remediation sooner if the affected software is deployed in production or ICS/embedded environments.
Recommended defensive actions
- Update to V5.0 or later, as directed in the supplied remediation.
- Confirm whether your deployment actually includes the affected Siemens SIMATIC CN 4100 software/version range before planning maintenance.
- Use the Siemens CERT and CISA advisory references to validate the exact affected product and fix guidance.
- Track distro/vendor kernel updates if you consume a packaged Linux kernel rather than Siemens-branded firmware.
- Apply normal patch-management controls for embedded and industrial environments, including testing in a staging system before broad rollout.
Evidence notes
The source corpus states: (1) a Linux kernel NFS race condition in request update/removal handling; (2) CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H with score 4.7; and (3) remediation to update to V5.0 or later. The same source item also carries a Siemens SIMATIC CN 4100 <5.0 product mapping, but the vendor confidence is low and the source metadata itself is inconsistent with the kernel-focused description, so the product attribution should be reviewed against the linked vendor advisory.
Official resources
-
CVE-2025-39697 CVE record
CVE.org
-
CVE-2025-39697 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF source on 2026-05-12, with a CISA republication/update on 2026-05-14. The supplied record associates the issue with Siemens SIMATIC CN 4100 <5.0, while the technical description itself concerns a Linux N