CVE-2025-39749 Cert Portal CVE debrief

Who should care

Operators and maintainers of Siemens-advisory-mapped SIMATIC CN 4100 systems, Linux kernel integrators, and OT/embedded teams that run kernels with the affected RCU code paths should review this CVE. The product mapping in the source data is low-confidence, so it is also worth validating whether any downstream Linux images or appliance builds inherit the affected kernel behavior.

Technical summary

According to the advisory text, the issue arises when rcu_read_unlock() is called from an interrupts-disabled region and rcu_read_unlock_special() uses irq-work to track the end of an RCU read-side critical section. The field defer_qs_iw_pending is updated by the irq-work handler and also read/updated by rcu_read_unlock_special(), creating a data race under strict KCSAN checking. The reported fix disables interrupts across the portion of rcu_preempt_deferred_qs_handler() that updates defer_qs_iw_pending. The source material frames this as an availability-impacting kernel synchronization defect rather than a code-execution issue.

Defensive priority

Moderate to high for any environment that matches the advisory scope, especially embedded or industrial Linux deployments that rely on the affected kernel build and have not yet received the fix. If the affected Siemens product is in use, treat this as a near-term patch item; otherwise, keep it in the normal kernel maintenance cycle after verifying exposure.

Recommended defensive actions

• Verify whether any deployed Siemens SIMATIC CN 4100 systems, appliance images, or downstream Linux builds match the advisory scope.
• Apply the vendor remediation: update to V5.0 or later where applicable.
• Confirm whether the kernel build uses CONFIG_IRQ_WORK=y and whether the affected RCU path is present in your deployment.
• Review CISA's ICS advisory and Siemens ProductCERT advisory for the exact affected product/version mapping before scheduling maintenance.
• Track patch rollout and retest any real-time or interrupt-sensitive workloads after updating kernel packages.

Evidence notes

The source corpus describes a Linux kernel RCU synchronization bug centered on defer_qs_iw_pending, with a KCSAN splat showing concurrent access between rcu_preempt_deferred_qs_handler() and rcu_read_unlock_special(). The CISA CSAF record identifies the advisory as ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14 from Siemens ProductCERT SSA-032379. The recorded CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, matching the source's availability-focused impact. The Siemens SIMATIC CN 4100 product association in the metadata is low-confidence and should be validated against the vendor advisory before operational decisions are made. No KEV listing is provided in the supplied corpus.

Official resources