PatchSiren cyber security CVE debrief
CVE-2025-39703 Cert Portal CVE debrief
CVE-2025-39703 describes a denial-of-service condition in Linux kernel HSR handling that can trigger a kernel BUG and crash when a received HSR frame is too short to hold the required HSR tag. In the supplied advisory material, CISA maps the issue to Siemens SIMATIC CN 4100 versions before 5.0 and republishes Siemens ProductCERT guidance. The affected code path can be reached while handling network traffic, making this primarily an availability risk.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT and industrial network operators using Siemens SIMATIC CN 4100, plus teams responsible for Linux-based bridge/HSR deployments, should prioritize this. Kernel and platform owners should also review whether any embedded or appliance-based products include the affected Linux networking stack.
Technical summary
The source advisory says that an incoming HSR frame with insufficient space for the HSR tag can leave the skb in a corrupted state. That corruption later reaches br_dev_queue_push_xmit(), where skb_push() runs without enough headroom and triggers skb_under_panic()/kernel BUG. The supplied fix is to reject and consume frames that are not long enough to contain both Ethernet and HSR headers, preventing the invalid skb state from propagating. The issue was found by syzkaller, and the supplied CVSS vector indicates an adjacent-network, no-authentication availability impact only.
Defensive priority
High for affected Siemens deployments because the impact is a crash-level availability issue in a networking path and the advisory provides a vendor fix. For general Linux environments, priority depends on whether HSR and bridging features are in use, but exposed packet-processing paths should still be treated as operationally sensitive.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, per the supplied remediation.
- Verify whether HSR and bridge functionality are enabled anywhere in the environment; if not needed, disable or isolate those paths where feasible.
- Apply vendor guidance from Siemens ProductCERT / CISA and plan maintenance windows, since the impact is service disruption rather than code execution.
- Monitor for unexpected kernel crashes or network-stack panics on systems handling HSR traffic.
- If you maintain a Linux-based product that uses HSR or bridge forwarding, review whether the local kernel includes the reject-short-frame fix.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-134-10) and Siemens references say the vulnerability is in Linux kernel HSR handling and can crash the system when a received frame cannot hold the HSR tag. The corpus includes a kernel panic trace showing skb_under_panic and skb_push in the call stack, and states that syzkaller found the issue. The advisory’s remediation is to update to V5.0 or later. The published date used here is the CVE/advisory publication date, 2026-05-12, with a CISA republication noted on 2026-05-14.
Official resources
-
CVE-2025-39703 CVE record
CVE.org
-
CVE-2025-39703 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
First published in the supplied advisory set on 2026-05-12 as CISA ICS Advisory ICSA-26-134-10, based on Siemens ProductCERT advisory SSA-032379. The source record was republished by CISA on 2026-05-14. Timing in this debrief follows the CV