PatchSiren cyber security CVE debrief
CVE-2025-39719 Cert Portal CVE debrief
CVE-2025-39719 is a medium-severity issue described in the Linux kernel’s bno055 IIO/IMU driver. The flaw is a potential out-of-bounds array access in bno055_get_regmask() caused by iterating hw_xlate using the vals array length instead of hw_xlate’s own length. The published fix adds an explicit hw_xlate_len field so the loop uses the correct bound. The source advisory corpus also republishes this under a Siemens/CISA OT advisory, but the product mapping in the metadata is low-confidence and should be verified against the official advisory text.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Kernel maintainers, distro and embedded-Linux security teams, and operators who deploy systems containing the bno055 driver or otherwise rely on the affected kernel component. Because the reported access vector is local and requires privileges, organizations that allow untrusted local users or code on affected hosts should pay particular attention.
Technical summary
The issue is a bounds-checking mistake in bno055.c. In bno055_get_regmask(), the code walked hw_xlate using the length of vals, not the length of hw_xlate itself. The report notes that bno055_gyr_scale has a larger vals array than hw_xlate, which creates the possibility of stepping past the end of hw_xlate. The corrective change adds hw_xlate_len to bno055_sysfs_attr so the loop is constrained to the correct array size.
Defensive priority
Medium. This is a local, low-privilege kernel bug with high availability impact but no reported confidentiality or integrity impact in the supplied CVSS vector. Patch in the next normal maintenance window, or sooner on systems where local access is broad or untrusted users can reach the affected kernel path.
Recommended defensive actions
- Apply the vendor or downstream fix that introduces hw_xlate_len and corrects the loop bound in bno055_get_regmask().
- If you rely on the Siemens advisory mapping in this corpus, follow the listed remediation to update to V5.0 or later, after confirming the product match is correct for your deployment.
- Verify whether the affected bno055 kernel driver is actually present and used in your environment; if it is not deployed, practical exposure is likely limited.
- Prioritize hosts that permit local shell access, untrusted workloads, or other forms of local code execution, since the CVSS vector is local and privilege-dependent.
- Track the official CVE record and the republished CISA/Siemens advisory for any revision updates or scope clarifications.
Evidence notes
The source corpus states that the vulnerability was published on 2026-05-12 and modified on 2026-05-14. The description explicitly ties the issue to Linux kernel source in bno055.c and explains the array-length mismatch. However, the metadata also maps the issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, while the vendor confidence is low and needs review. Treat the product attribution as advisory-context metadata, not as confirmed proof of the affected software stack.
Official resources
-
CVE-2025-39719 CVE record
CVE.org
-
CVE-2025-39719 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory data in the supplied corpus was first published on 2026-05-12 and updated on 2026-05-14. The source set is a CISA republication of Siemens ProductCERT advisory SSA-032379 / ICSA-26-134-10. The issue is not marked as KEV in a