PatchSiren cyber security CVE debrief
CVE-2025-39766 Cert Portal CVE debrief
CVE-2025-39766 is a configuration-sensitive Linux kernel networking issue described in CISA’s republished Siemens advisory ICSA-26-134-10. The advisory says cake_enqueue can drop packets after reaching a low buffer_limit but still return NET_XMIT_SUCCESS, which can lead htb_enqueue to call htb_activate with an empty child qdisc and raise a WARNING. Siemens’ listed remediation is to update the affected SIMATIC CN 4100 product to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and maintainers responsible for Siemens SIMATIC CN 4100 deployments, especially systems using Linux traffic-control qdisc features such as cake and htb. Linux kernel and firmware teams validating vendor updates should also review the advisory.
Technical summary
The supplied advisory text describes a mismatch between packet-dropping behavior and the return value from cake_enqueue. When a low memlimit drives buffer_limit low enough to drop packets, the function may still report NET_XMIT_SUCCESS, which can confuse htb_enqueue/htb_activate into acting on an empty child qdisc and trigger a kernel warning. The advisory states that NET_XMIT_CN should be returned when packets are dropped from the same tin and flow, while noting that ack-filtering drops are treated differently. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (score 7, HIGH).
Defensive priority
High for systems that match the advisory’s Siemens product scope and use the affected traffic-control path. The issue appears to require local conditions and a specific qdisc configuration to trigger, so it is not presented here as a broad remote-execution concern.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later as directed in the advisory.
- Review deployed systems for use of cake/htb qdisc configurations and prioritize those hosts for remediation.
- Schedule and validate the vendor update in a maintenance window before broad rollout.
- After updating, monitor for kernel warnings or traffic-control anomalies to confirm the remediation is effective.
Evidence notes
Primary evidence comes from CISA CSAF advisory ICSA-26-134-10, which republishes Siemens ProductCERT SSA-032379 and includes the description of the kernel warning scenario, the affected product entry, and the remediation to update to V5.0 or later. The CVE record is included for identity confirmation. The prompt’s vendor/product mapping is marked low confidence, so external publication should verify that mapping against the advisory before treating it as definitive. Timing context used here is the supplied publication date of 2026-05-12 and modification date of 2026-05-14.
Official resources
-
CVE-2025-39766 CVE record
CVE.org
-
CVE-2025-39766 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 with Siemens ProductCERT content. The supplied vendor/product mapping for this CVE is low confidence and should be reviewed against the advisory before publication.