PatchSiren cyber security CVE debrief
CVE-2025-39713 Cert Portal CVE debrief
CVE-2025-39713 describes a time-of-check to time-of-use race in the Linux kernel rainshadow-cec interrupt handler. The fix moves the spin lock before the buffer-full check so the check and buffer update happen atomically, preventing concurrent interrupts from overrunning the buffer. The advisory data published by CISA on 2026-05-12 and republished on 2026-05-14 maps the issue to Siemens SIMATIC CN 4100 metadata, so product attribution should be reviewed carefully against the Linux-kernel code description.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 environments, embedded/OT teams relying on the affected advisory, and Linux kernel or firmware integrators who ship the rainshadow-cec media driver should pay attention. Security teams responsible for patch validation and device lifecycle management should also track this issue because the impact is availability-focused but can still be service-disruptive.
Technical summary
The reported flaw is a TOCTOU race in rain_interrupt(): a buffer-length full check occurs before acquiring rain->buf_lock, while a separate work handler updates the same state under that lock. If multiple interrupts race, both can observe a non-full buffer and proceed, allowing buf_len to advance past DATA_SIZE and causing a buffer overflow. The remediation is to acquire the lock before checking buffer capacity and to release it on the overflow path. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with local-access, low-complexity, availability impact.
Defensive priority
Medium
Recommended defensive actions
- Apply the vendor remediation: update to V5.0 or later if your environment matches the Siemens advisory.
- Confirm whether any deployed devices or images include the affected rainshadow-cec Linux kernel code path before planning maintenance.
- Prioritize patching where local users or processes can interact with the affected kernel component, since the CVSS vector indicates local attack requirements.
- Validate updates in a maintenance window and verify device behavior after reboot or redeployment.
- Track follow-on advisory updates from CISA and Siemens in case product attribution or affected-version details are refined.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory corpus and the linked official references. The source states that the issue was published on 2026-05-12 and republished on 2026-05-14. The vulnerability text describes a Linux kernel rainshadow-cec interrupt-handler TOCTOU race that can overflow a buffer and cause availability impact. The advisory metadata, however, associates the CVE with Siemens SIMATIC CN 4100 version information, so the product mapping is marked low confidence and needs review.
Official resources
-
CVE-2025-39713 CVE record
CVE.org
-
CVE-2025-39713 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 from Siemens ProductCERT material. The advisory text describes a Linux kernel rainshadow-cec TOCTOU race in an interrupt handler, identified by an experimental stat-