PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-39770 Cert Portal CVE debrief

CVE-2025-39770 describes a Linux kernel networking bug in IPv6 Generic Segmentation Offload (GSO). When an IPv6 packet carries extension headers, the stack can incorrectly request checksum offload from a device that only advertises NETIF_F_IPV6_CSUM, even though that feature is defined only for plain TCP or UDP over IPv6 without extension headers. The result can be a `skb_warn_bad_offload` warning and a collapse in network throughput. The source advisory says checksum offload should be computed in software in this case, and the exception for BIG TCP is explicitly noted in the advisory text. From a defensive standpoint, this is primarily an availability issue rather than a confidentiality or integrity issue. The published source links the problem to Siemens SIMATIC CN 4100 versions before 5.0 and recommends updating to V5.0 or later. Because the source metadata marks the Siemens product mapping as low confidence and needs review, organizations should verify whether their affected systems actually use the impacted Linux kernel path before prioritizing remediation.

Vendor
Cert Portal
Product
Siemens SIMATIC CN 4100 vers:intdot/<5.0
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-14
Advisory published
2026-05-12
Advisory updated
2026-05-14

Who should care

Operators of Siemens SIMATIC CN 4100 systems running versions earlier than 5.0, and defenders responsible for Linux-based network paths that use IPv6 tunnels, extension headers, or checksum offload features on devices advertising only NETIF_F_IPV6_CSUM.

Technical summary

The kernel’s `gso_features_check` logic may leave `NETIF_F_IPV6_CSUM` enabled for IPv6 packets that include extension headers. That can cause the stack to request checksum offload from hardware that does not support such packets, producing `skb_warn_bad_offload` warnings and forcing problematic transmit behavior. The source advisory indicates the fix is to mask `NETIF_F_IPV6_CSUM`, `NETIF_F_TSO6`, and `NETIF_F_GSO_UDP_L4` when the IPv6 header contains extension headers, so checksum handling falls back to software. The issue is described as affecting availability/throughput rather than enabling code execution.

Defensive priority

Medium

Recommended defensive actions

  • Review whether any Siemens SIMATIC CN 4100 deployments are running versions earlier than V5.0 and schedule the vendor-recommended update to V5.0 or later.
  • If you operate Linux systems that use IPv6 tunnels or extension headers, validate kernel versions and confirm whether the fixed `gso_features_check` behavior is present.
  • Monitor for `skb_warn_bad_offload` warnings and unexplained throughput collapse on affected network paths.
  • Where feasible, test packet paths that use IPv6 extension headers against your current offload configuration to confirm checksum handling is software-based when required.
  • Treat the Siemens product mapping in the source advisory as low-confidence until you verify the affected deployment architecture.

Evidence notes

The source advisory text states that IPv6 packets with extension headers can incorrectly trigger checksum offload requests on devices that only support NETIF_F_IPV6_CSUM, causing `skb_warn_bad_offload` and throughput collapse. The same source provides the remediation: mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6, and NETIF_F_GSO_UDP_L4 in `gso_features_check` when extension headers are present, with a BIG TCP exception noted in the advisory. The remediation section for the Siemens advisory specifies updating to V5.0 or later. The source metadata also marks the Siemens product association as low confidence and needs review.

Official resources

Published by CISA as ICSA-26-134-10 on 2026-05-12 and republished from Siemens ProductCERT on 2026-05-14. No KEV entry is listed in the supplied source data.