PatchSiren cyber security CVE debrief
CVE-2025-39702 Cert Portal CVE debrief
CVE-2025-39702 is a high-severity timing issue in the Linux kernel’s IPv6 segment routing path. The fix changes MAC comparison to a constant-time helper so attackers cannot use timing differences to learn information. In the supplied advisory corpus, CISA republishes Siemens guidance for SIMATIC CN 4100 systems that include affected software, with remediation to update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT and industrial control system operators using Siemens SIMATIC CN 4100 devices, administrators responsible for embedded Linux-based appliance software, and security teams that manage vendor advisories and patch validation for production control environments.
Technical summary
The underlying bug is a non-constant-time MAC comparison in IPv6 segment routing. Because MACs were not compared in constant time, an attacker with the prerequisites reflected in the CVSS vector could potentially infer information through timing differences. The published vector indicates local access and low privileges are required, with confidentiality and availability impact but no integrity impact. The advisory corpus ties the issue to Siemens SIMATIC CN 4100 product guidance and recommends updating to V5.0 or later.
Defensive priority
High for any affected Siemens SIMATIC CN 4100 deployment or downstream build that includes the vulnerable code path. Even though the issue is not marked as KEV, the combination of high CVSS severity, local attack prerequisites, and exposure in an OT-adjacent product warrants prompt validation and patch planning.
Recommended defensive actions
- Confirm whether any deployed Siemens SIMATIC CN 4100 systems are on versions earlier than V5.0.
- Apply the vendor remediation to update to V5.0 or later.
- Review downstream or embedded Linux images that may include the affected IPv6 segment routing code path.
- Restrict local access and privileged accounts on systems that cannot be updated immediately.
- Track the Siemens and CISA advisories for any follow-up guidance or revised product scope.
- Validate patches in a maintenance window before broad rollout in production OT environments.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item and its referenced Siemens advisory links. The source description states: “In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time.” The same source corpus lists remediation as updating to V5.0 or later. The product mapping in the supplied metadata is low-confidence and marked needsReview, so the underlying code issue should be treated as Linux-kernel based while the affected product scope should be confirmed against the vendor advisory.
Official resources
-
CVE-2025-39702 CVE record
CVE.org
-
CVE-2025-39702 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-39702 was published on 2026-05-12 and modified on 2026-05-14. The supplied source item shows an initial CISA publication on 2026-05-12 and a 2026-05-14 republication of Siemens ProductCERT advisory SSA-032379. No KEV listing is set