PatchSiren cyber security CVE debrief
CVE-2025-39710 Cert Portal CVE debrief
CVE-2025-39710 is a medium-severity bounds-checking issue described in the supplied advisory corpus as a packet-size validation flaw in the Linux kernel media: venus path. The advisory text says packet size read from shared memory was not being checked against the number of available words, creating a risk of out-of-bounds memory access. In the supplied product mapping, Siemens SIMATIC CN 4100 versions prior to 5.0 are listed as affected, with a fix to update to V5.0 or later. The provided CVSS vector indicates local access and elevated privileges are required, with the main impact being availability.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators and asset owners running Siemens SIMATIC CN 4100 versions earlier than 5.0, along with administrators and maintenance teams responsible for patching embedded Linux-based components and validating vendor advisories.
Technical summary
The issue is a missing bounds check on a packet size value read from shared memory after the packet header is parsed. If the size exceeds the number of available words, the driver could process an invalid length and risk out-of-bounds memory access. The supplied corpus associates this with Siemens SIMATIC CN 4100 <5.0 and recommends updating to V5.0 or later, but the corpus also contains Linux kernel media: venus wording, so the product attribution should be reviewed carefully.
Defensive priority
Medium. Plan remediation in the next maintenance window, sooner for high-value or safety-relevant deployments, because a vendor fix is available and the issue affects availability.
Recommended defensive actions
- Inventory Siemens SIMATIC CN 4100 deployments and confirm whether any are running versions earlier than V5.0.
- Apply the vendor-recommended update to V5.0 or later during a controlled maintenance window.
- Validate the update in a test environment first and confirm rollback options for operational continuity.
- Follow Siemens and CISA advisory updates for any additional mitigation or clarification tied to this CVE.
- Use defense-in-depth controls from the CISA ICS guidance to limit administrative access and reduce exposure to local compromise paths.
Evidence notes
The timing and remediation guidance are taken from the supplied CISA CSAF advisory ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14. The corpus links the vulnerability description to a Linux kernel media: venus packet-size check and also maps it to Siemens SIMATIC CN 4100 <5.0; because those signals do not fully align, the vendor/product attribution should be treated as low-confidence and verified against the Siemens ProductCERT advisory.
Official resources
-
CVE-2025-39710 CVE record
CVE.org
-
CVE-2025-39710 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied advisory corpus on 2026-05-12, with a CISA republication on 2026-05-14.