PatchSiren cyber security CVE debrief
CVE-2025-39709 Cert Portal CVE debrief
CVE-2025-39709 is a Linux kernel media: venus issue where the interrupt handler may not be fully initialized before the IRQ is registered. If a spurious interrupt arrives in that window, the kernel can dereference a NULL pointer. The supplied advisory notes the condition was observed during system boot on Rb3Gen2. CISA’s published CSAF advisory republishes Siemens ProductCERT guidance and maps the issue to Siemens SIMATIC CN 4100 versions before 5.0.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 systems running versions earlier than 5.0, especially environments that boot frequently or rely on Linux kernel media/codec components. OT defenders and patch managers should also track the advisory because the impact is service disruption during startup rather than data theft.
Technical summary
The flaw is a probe-time race in the Linux kernel’s venus media driver. The IRQ is registered too early relative to hfi_create()/handler setup, so an interrupt can be delivered before the handler state exists. That can lead to a NULL dereference and crash the affected component or system. The advisory and CVSS vector indicate local attack conditions and high availability impact, with no confidentiality or integrity impact stated in the supplied source.
Defensive priority
Medium. The issue is availability-focused and appears most relevant during initialization or boot, but it can still disrupt affected embedded or OT systems. Prioritize if the device model and version match the advisory and if reboot reliability matters operationally.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, per the vendor remediation in the advisory.
- Verify whether any deployed systems match the affected product/version scope before scheduling maintenance.
- Monitor for boot-time crashes or repeated startup failures that could indicate the race condition is present in the field.
- Use vendor and CISA advisory references to confirm package and firmware status for any integrated Linux kernel components.
- Treat the issue as an availability risk and include it in reboot/change-management testing for affected devices.
Evidence notes
Source corpus states: the Linux kernel vulnerability is resolved by initializing the interrupt handler before registering the interrupt; otherwise a spurious interrupt can cause a NULL dereference. The advisory says the issue was observed during system boot on Rb3Gen2. The supplied CISA CSAF source published on 2026-05-12 and was republished on 2026-05-14 from Siemens ProductCERT SSA-032379. No KEV listing was supplied. Timing context uses the provided CVE published/modified dates.
Official resources
-
CVE-2025-39709 CVE record
CVE.org
-
CVE-2025-39709 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied source advisory on 2026-05-12 and republished by CISA on 2026-05-14 from Siemens ProductCERT SSA-032379. No known exploitation campaign or KEV listing is included in the supplied corpus.