PatchSiren cyber security CVE debrief
CVE-2025-39782 Cert Portal CVE debrief
CVE-2025-39782 is an availability issue in the Linux kernel checkpoint path that can cause a soft lockup when jbd2_log_do_checkpoint() runs for too long without an explicit reschedule point. The public advisory was first published on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT material. The source advisory maps the issue to Siemens SIMATIC CN 4100 versions before 5.0 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Asset owners, operators, and maintenance teams responsible for Siemens SIMATIC CN 4100 systems identified in the advisory, especially environments that can trigger ext4/jbd2 writeback activity. Because the impact is availability-only, availability-sensitive deployments should prioritize validation and patching.
Technical summary
The advisory says both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock during batch processing, but only the latter explicitly calls cond_resched() when need_resched() is true. jbd2_log_do_checkpoint() instead relies on potentially sleeping paths such as __flush_batch() or wait_on_buffer() to yield. If those paths do not sleep, the kernel can remain busy long enough to hit a watchdog soft lockup. The reported stack trace shows the issue during writeback and ext4 journal handling, and the CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
Medium to high for affected Siemens assets because the impact is a kernel soft lockup and service interruption, not code execution or data corruption. Treat as a priority availability fix where the affected product/version is present.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, as directed in the vendor remediation.
- Confirm whether the deployed product and version match the advisory scope before and after patching.
- Review maintenance windows and test the update on a representative system before fleet-wide rollout.
- Monitor affected systems for watchdog or soft-lockup messages during writeback-heavy workloads while remediation is planned.
Evidence notes
The source advisory (ICSA-26-134-10 / SSA-032379) describes a Linux kernel jbd2 softlockup condition and lists remediation as updating to V5.0 or later. The advisory metadata records publication on 2026-05-12 and republication on 2026-05-14. The CVSS vector provided is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports an availability-focused assessment. The vendor/product mapping in the supplied source is low confidence and marked needsReview, so the Siemens product scope should be validated against the official Siemens advisory.
Official resources
-
CVE-2025-39782 CVE record
CVE.org
-
CVE-2025-39782 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory first published on 2026-05-12 and updated on 2026-05-14. The supplied source associates the issue with Siemens ProductCERT advisory SSA-032379 / CISA ICSA-26-134-10. No exploit code or weaponization details are included here