PatchSiren cyber security CVE debrief
CVE-2025-39743 Cert Portal CVE debrief
CVE-2025-39743 is a high-severity defect described in the Linux kernel JFS code path. According to the supplied advisory text, inode pages may not be truncated when an inode’s hard-link count is 0, which can trigger a BUGON in clear_inode() because nrpages remains greater than 0. The advisory corpus published by CISA on 2026-05-12 and republished on 2026-05-14 includes a Siemens remediation advising update to V5.0 or later. Note that the vendor/product mapping in the supplied data is low-confidence and should be reviewed against the referenced Siemens advisory material before operational decisions are made.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers responsible for Siemens SIMATIC CN 4100 systems, especially environments running versions earlier than V5.0, as well as teams validating Linux kernel/JFS-related behavior in affected deployments.
Technical summary
The supplied description states that when an inode copied from disk has fileset value AGGR_RESERVED_I and is later evicted with hard-link count 0, its inode pages are not truncated. During clear_inode(), the kernel observes nrpages > 0 and triggers a BUGON. The provided CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local, hard-to-exploit condition with high impact if reached.
Defensive priority
High. The issue is publicly documented, carries a high CVSS score of 7, and has a vendor remediation path available. Prioritize version verification and patch planning for any potentially affected Siemens SIMATIC CN 4100 deployments.
Recommended defensive actions
- Verify whether any Siemens SIMATIC CN 4100 assets are running versions earlier than V5.0.
- Apply the vendor remediation by updating to V5.0 or later, per the Siemens advisory reference.
- Corroborate the product mapping against the linked Siemens advisory materials before treating this as an exposed asset finding.
- Track this CVE in change-management and maintenance windows for industrial environments where downtime planning is required.
- Use the CISA and Siemens advisory references to confirm affected product scope and any additional operational guidance.
Evidence notes
All statements above are grounded in the supplied CISA CSAF source item and its listed references. The source item says the flaw is resolved in Linux kernel JFS logic and provides a Siemens product remediation, but the vendor/product mapping in the supplied input is explicitly low-confidence and marked for review. Timing context uses the publishedAt/modifiedAt values supplied with the source: initial publication on 2026-05-12 and republication/refresh on 2026-05-14.
Official resources
-
CVE-2025-39743 CVE record
CVE.org
-
CVE-2025-39743 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF advisory on 2026-05-12 and republished on 2026-05-14 with the initial CISA republication of the Siemens ProductCERT advisory.