PatchSiren cyber security CVE debrief
CVE-2025-39806 Cert Portal CVE debrief
CVE-2025-39806 describes a slab out-of-bounds read in the Linux kernel HID multitouch path. A malicious HID device can provide a report descriptor smaller than 608 bytes, and mt_report_fixup() may still read byte offset 607 while checking whether it should patch the descriptor. The fix is to verify the descriptor is at least 608 bytes before any access at that offset. The source advisory rates the issue HIGH with CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, embedded/OT device operators, and administrators who accept untrusted or physically connected HID peripherals should prioritize this. The advisory source also lists Siemens SIMATIC CN 4100 product metadata, so Siemens-focused defenders should validate whether their deployed images or firmware include the affected kernel code path.
Technical summary
The vulnerable function mt_report_fixup() in the HID multitouch driver assumes a descriptor is large enough to inspect offset 607 and potentially rewrite that byte. When a descriptor shorter than 608 bytes is supplied, the function can read past the end of the slab object, triggering a KASAN slab-out-of-bounds report during device probing/opening. The corrective change is a bounds check that enforces a minimum descriptor length of 608 bytes before accessing offset 607.
Defensive priority
High for systems that may process untrusted HID devices or physically attached peripherals; otherwise moderate but still worth fast patching because the flaw affects kernel memory safety.
Recommended defensive actions
- Apply the vendor or kernel fix that ensures mt_report_fixup() validates a minimum descriptor size of 608 bytes before reading offset 607.
- Update to the Siemens-referenced fixed release: V5.0 or later, if the advisory applies to your deployment.
- Review where HID devices are accepted from untrusted sources, especially kiosks, lab systems, and industrial endpoints with removable peripherals.
- Limit unauthorized physical access to endpoints and USB/HID attachment points where feasible.
- Monitor kernel and device-probing logs for crashes or KASAN-like reports involving HID multitouch initialization.
- Validate whether your asset inventory actually uses the Siemens SIMATIC CN 4100 product mapping in the advisory, since the vulnerability text itself is Linux-kernel specific.
Evidence notes
Source text states: 'HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()' and explains that a malicious HID device can trigger a slab out-of-bounds when the report descriptor is smaller than 607/608 bytes. The source also includes a KASAN splat showing the read in mt_report_fixup() during hid_open_report() / mt_probe(). Remediation in the source references 'Update to V5.0 or later version.' Note: the advisory metadata maps this CVE to 'Siemens SIMATIC CN 4100 vers:intdot/<5.0', but the vulnerability description itself is clearly about the Linux kernel HID multitouch driver; that product association should be validated before operational use.
Official resources
-
CVE-2025-39806 CVE record
CVE.org
-
CVE-2025-39806 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA on 2026-05-12 and republished with Siemens ProductCERT content on 2026-05-14. Use the CVE published date for timing context; the advisory source modified date is 2026-05-14.