PatchSiren cyber security CVE debrief

CVE-2025-39760 Cert Portal CVE debrief

CVE-2025-39760 is a medium-severity memory-safety issue described in the Linux kernel USB core: usb_parse_ss_endpoint_companion() checked descriptor type before verifying length, which could permit an out-of-bounds read when parsing malformed SuperSpeed endpoint companion descriptors. The supplied CISA CSAF advisory republishes Siemens ProductCERT material as ICSA-26-134-10 and lists remediation for Siemens SIMATIC CN 4100 versions earlier than V5.0. Because the source corpus also marks the vendor/product mapping as low confidence and the CVE description itself is Linux-kernel-specific, treat the named product impact as advisory metadata that should be validated against the vendor notice before acting.

Vendor: Cert Portal
Product: Siemens SIMATIC CN 4100 vers:intdot/<5.0
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-12
Original CVE updated: 2026-05-14
Advisory published: 2026-05-12
Advisory updated: 2026-05-14

Who should care

Security and operations teams responsible for Siemens SIMATIC CN 4100 deployments, especially systems that include Linux kernel USB parsing code or accept removable USB media. OT/ICS administrators, embedded platform maintainers, and asset owners should also review exposure if they rely on the vendor-referenced product line or any Linux-based component that processes untrusted USB descriptors.

Technical summary

The issue is an out-of-bounds read risk in USB SuperSpeed endpoint companion parsing. Per the advisory text, the bug arises because descriptor type was checked before size/length, allowing a malformed descriptor to be examined outside the intended buffer bounds. The stated fix is to check the size first before reading any descriptor fields. The supplied source item is a CISA republication of Siemens ProductCERT advisory SSA-032379, and the remediation field specifies updating to V5.0 or later for the affected Siemens product entry.

Defensive priority

Priority should be treated as medium overall, but higher on any exposed OT or embedded systems that parse externally supplied USB descriptors or allow physical USB access. If the Siemens product mapping applies to your environment, remediation should be scheduled promptly during the next maintenance window because the advisory provides a vendor fix path and the flaw can be triggered without user interaction under the stated CVSS vector.

Recommended defensive actions

Confirm whether any deployed Siemens SIMATIC CN 4100 systems match the advisory's version scope and verify the vendor bulletin before making changes.
Update to V5.0 or later if the Siemens advisory applies to your environment.
Restrict or control physical USB access on affected or potentially affected systems.
Use asset inventory to identify Linux-based embedded or OT devices that parse untrusted USB descriptors.
Apply compensating controls during remediation windows, such as limiting removable media use and monitoring for anomalous USB activity.
Review the linked CISA and Siemens advisories for any vendor-specific mitigations or validation steps.

Evidence notes

The source corpus contains a CISA CSAF advisory (ICSA-26-134-10) published on 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT SSA-032379. The CVE description explicitly names a Linux kernel USB core parsing issue. The vendor/product fields in the supplied data map the issue to Siemens SIMATIC CN 4100 vers:intdot/<5.0, but that mapping is marked low confidence and needs review, so this debrief avoids asserting product impact beyond the advisory metadata. No KEV entry is present in the supplied data.

Official resources

Public advisory published 2026-05-12 and republished by CISA on 2026-05-14. No KEV listing is present in the supplied corpus.