PatchSiren cyber security CVE debrief
CVE-2025-39738 Cert Portal CVE debrief
CVE-2025-39738 is a Linux kernel btrfs availability issue disclosed in a Siemens advisory republished by CISA on 2026-05-12 and updated on 2026-05-14. The source text says balance/relocation can hit a transaction abort when a partially dropped subvolume is encountered, causing btrfs to fail delayed refs and abort the transaction. The remediation is to reject half-dropped subvolumes earlier and, for affected Siemens SIMATIC CN 4100 systems, update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and operators of systems using btrfs, especially Siemens SIMATIC CN 4100 deployments covered by the advisory and any environment that performs balance/relocation or may contain old, partially dropped subvolumes.
Technical summary
The advisory explains that the delayed-ref failure is not ordinary on-disk extent-tree corruption. Instead, the missing backref can belong to a subvolume that is already being dropped, and relocation should not be allowed to proceed for that half-dropped state. The reported outcome is a btrfs transaction abort with availability impact. The source also notes that older kernels could leave zombie subvolumes and that the issue is handled by refusing relocation of partially dropped subvolumes at an earlier stage.
Defensive priority
Medium-High. The CVSS score is 5.5 (MEDIUM), but the practical priority increases for fleets that rely on btrfs maintenance operations, long-lived filesystems, or Siemens systems explicitly covered by the advisory because the failure can abort transactions and interrupt service.
Recommended defensive actions
- Review whether affected Siemens SIMATIC CN 4100 systems are in scope and upgrade to V5.0 or later as directed by the advisory.
- Inventory hosts that use btrfs and identify whether balance/relocation operations are routine or scheduled.
- Check for legacy filesystems that may contain long-lived or partially dropped subvolumes from older kernels.
- Treat repeated btrfs transaction-abort events during delayed-ref processing as an availability incident and verify filesystem state before further maintenance.
- Use the vendor advisory and CISA publication as the primary remediation reference for product-specific guidance.
Evidence notes
CISA’s CSAF source identifies CVE-2025-39738 and republishes Siemens ProductCERT advisory SSA-032379. The source description states that balance triggered a transaction abort in btrfs, that the missing backref was associated with a subvolume being dropped, and that the correct fix is to reject half-dropped subvolumes for relocation earlier. The advisory metadata lists the affected product as Siemens SIMATIC CN 4100 vers:intdot/<5.0 and the remediation as updating to V5.0 or later. Published date used here is 2026-05-12 and modified date is 2026-05-14.
Official resources
-
CVE-2025-39738 CVE record
CVE.org
-
CVE-2025-39738 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA’s republished Siemens advisory on 2026-05-12, with a CISA republication update on 2026-05-14. Timing context is based on the supplied CVE and source publication dates.