CVE-2025-39794 Cert Portal CVE debrief

Who should care

OT/ICS operators using Siemens SIMATIC CN 4100 devices below V5.0, Siemens product owners, Linux kernel maintainers, and defenders responsible for ARM/Tegra-based embedded systems.

Technical summary

The advisory describes a Linux kernel ARM: tegra code path that writes to IRAM using standard memcpy instead of I/O memcpy. According to the source text, KASAN crashes the kernel while checking boundaries with the normal memcpy. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, which points to a local, low-privilege condition with high integrity and availability impact.

Defensive priority

High for affected Siemens SIMATIC CN 4100 deployments below V5.0, because the vendor remediation is a version update and the scoring shows meaningful local impact to integrity and availability.

Recommended defensive actions

• Update Siemens SIMATIC CN 4100 to V5.0 or later, per the vendor remediation in the supplied advisory.
• Validate whether any deployed devices are running versions prior to 5.0 and prioritize those systems for patching.
• Review operational procedures for local access control on affected systems, since the CVSS vector indicates local low-privilege conditions.
• Monitor the CISA and Siemens advisories linked in the source corpus for any revisions or additional guidance.
• Use standard ICS defense-in-depth and asset management practices for affected embedded systems.

Evidence notes

Source corpus links the CVE to CISA advisory ICSA-26-134-10 and Siemens ProductCERT advisory SSA-032379. The advisory was initially published on 2026-05-12 and republished by CISA on 2026-05-14. The supplied remediation is to update to V5.0 or later. No KEV entry is present in the supplied corpus. The vendor mapping in the source item is marked low confidence and needs review, so the product association should be treated as advisory-supplied rather than independently confirmed here.

Official resources