PatchSiren cyber security CVE debrief
CVE-2025-39706 Cert Portal CVE debrief
CVE-2025-39706 describes a Linux kernel teardown-order bug in drm/amdkfd where KFD debugfs is destroyed before the process-destroy workqueue finishes. According to the advisory text, that can leave kfd_process_destroy_wq calling kfd_debugfs_remove_process after /sys/kernel/debug/kfd has already been removed, leading to a kernel NULL pointer problem and a system hang. The source advisory places the issue in Siemens SIMATIC CN 4100 versions before 5.0 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators, operators, and maintenance teams responsible for Siemens SIMATIC CN 4100 systems covered by ICSA-26-134-10, especially where the affected Linux kernel path is present and AMD KFD/debugfs functionality is enabled.
Technical summary
The advisory says the fix is to move kfd_process_destroy_wq before kfd_debugfs_fini. The failure occurs when debugfs_remove_recursive(entry->proc_dentry) tries to remove /sys/kernel/debug/kfd/proc/<pid> after /sys/kernel/debug/kfd has already been removed. The stated effect is a kernel NULL pointer condition that can hang the system. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-privilege availability issue rather than a confidentiality or integrity impact.
Defensive priority
Medium. This is a local availability issue, but a kernel hang on an operational platform can still be disruptive and should be remediated promptly during normal maintenance windows.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, as directed in the vendor remediation.
- Confirm whether your deployed hardware/software stack matches the affected product/version scope in ICSA-26-134-10.
- Schedule maintenance to apply the fix and validate that kernel teardown paths no longer trigger hangs or NULL pointer failures.
- Monitor for unexplained kernel hangs or crashes involving KFD/debugfs teardown behavior on affected hosts.
- Treat the issue as defense-in-depth rather than a known exploited vulnerability; no KEV entry is listed in the supplied data.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-134-10) and Siemens ProductCERT references state that the issue is resolved by moving kfd_process_destroy_wq before kfd_debugfs_fini. The description explicitly says /sys/kernel/debug/kfd may already be gone when kfd_debugfs_remove_process runs, causing a kernel NULL pointer problem and hang. The remediation in the supplied corpus is to update to V5.0 or later. The provided CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vendor/product mapping in the input is marked low confidence, so the product scope should be validated against the official Siemens advisory before operational decisions are made.
Official resources
-
CVE-2025-39706 CVE record
CVE.org
-
CVE-2025-39706 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly published on 2026-05-12 and modified on 2026-05-14. The source advisory references Siemens ProductCERT SSA-032379 and the CISA republication of ICSA-26-134-10. No KEV date is listed in the supplied data.