PatchSiren cyber security CVE debrief
CVE-2025-39790 Cert Portal CVE debrief
CVE-2025-39790 is an industrial-control disclosure centered on Linux kernel MHI completion handling. The advisory says a remote device can send an event whose TRE pointer does not match the host’s expected next ring entry, and stale event data can cause the host to process the wrong transfer range. In the worst case, a buffer may be freed twice when the host follows that stale pointer. Siemens maps the issue to SIMATIC CN 4100 versions below 5.0 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 devices, especially versions below 5.0; teams responsible for Linux-based MHI host stacks in affected industrial deployments; and incident responders tracking memory-safety issues in OT environments.
Technical summary
The flaw is a pointer-validation problem in MHI completion-event processing. The host uses the TRE pointer carried in an event to decide which ring entries to advance and process. If the device updates the event ring out of order, or if the pointer in the event refers to an unexpected TRE rather than local_rp + 1, the host may treat a single transfer as a chained sequence and free one or more buffers twice. The published fix hardens host-side handling so unexpected event pointers are not trusted as normal linear progress.
Defensive priority
High for affected deployments, despite the Medium CVSS score, because the issue can cause memory corruption and double-free behavior in OT-facing equipment.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 systems to V5.0 or later, per the vendor remediation.
- Confirm whether any deployed Linux MHI host or endpoint stack includes the host-side fix described in the advisory.
- Inventory affected devices and schedule maintenance windows to apply updates safely in operational environments.
- Watch for crashes, resets, or memory-corruption symptoms around MHI event handling and transfer completion paths.
- Use the Siemens and CISA advisory links to validate applicability and follow vendor guidance before deployment.
Evidence notes
CVE-2025-39790 was published on 2026-05-12 and modified on 2026-05-14. The supplied CISA CSAF source (ICSA-26-134-10) republishes Siemens ProductCERT material and identifies Siemens SIMATIC CN 4100 versions below 5.0 as the affected product line. The advisory text ties the issue to Linux kernel bus:mhi:host event handling and gives a CVSS v3.1 vector of AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (6.7, Medium).
Official resources
-
CVE-2025-39790 CVE record
CVE.org
-
CVE-2025-39790 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2026-05-12 and republished with Siemens ProductCERT material on 2026-05-14.