PatchSiren cyber security CVE debrief
CVE-2025-39801 Cert Portal CVE debrief
CVE-2025-39801 concerns a Linux kernel DWC3 endpoint-command timeout path where WARN_ON handling could trigger an avoidable kernel panic when panic_on_warn is enabled, or generate unnecessary call traces otherwise. The advisory links the issue to Siemens SIMATIC CN 4100 versions before 5.0 and says the problem was observed during fast software-controlled USB connect/disconnect test cases. From a defensive standpoint, the main risk is denial of service through system instability rather than data compromise.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators using Siemens SIMATIC CN 4100 devices, administrators responsible for Linux-based embedded platforms with USB DWC3 support, and engineering teams that rely on fast USB connect/disconnect or control-transfer workflows should pay attention.
Technical summary
The source advisory says the kernel bug occurs in usb: dwc3 when device endpoint commands time out and WARN_ON is reached during endpoint command handling. In the reported scenario, incomplete control transfers from a prior connect can overlap with disconnect processing and USB_ENDPOINT_HALT handling, especially on Exynos platforms. The result is not a classic memory corruption issue; it is an availability problem where warning paths can escalate to panic if panic_on_warn is configured, or create unnecessary traces if it is not. The advisory and CVSS vector both emphasize local access and high availability impact, with no confidentiality or integrity impact noted.
Defensive priority
Medium
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, as directed in the Siemens ProductCERT advisory.
- Review systems that use Linux kernel USB DWC3 support for exposure to endpoint-command timeout behavior during USB connect/disconnect sequences.
- Treat unexpected kernel warnings or panics during USB gadget or control-transfer testing as a priority stability issue and validate firmware updates before production deployment.
- If you operate affected OT assets, schedule maintenance to apply the vendor update and verify post-update behavior under normal USB device lifecycle events.
Evidence notes
The supplied CISA CSAF source and Siemens advisory references describe a Linux kernel usb: dwc3 WARN_ON timeout issue tied to rare USB endpoint command timeouts, with observed kernel panic risk when panic_on_warn is enabled. The source maps the advisory to Siemens SIMATIC CN 4100 versions before 5.0 and provides a vendor remediation to update to V5.0 or later. PublishedAt is 2026-05-12 and ModifiedAt is 2026-05-14; those dates are the advisory timing context, not the vulnerability creation date.
Official resources
-
CVE-2025-39801 CVE record
CVE.org
-
CVE-2025-39801 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in a CISA ICS advisory on 2026-05-12 and republished from Siemens ProductCERT on 2026-05-14. The source corpus associates the issue with Siemens SIMATIC CN 4100 versions before 5.0.