PatchSiren cyber security CVE debrief
CVE-2025-39808 Cert Portal CVE debrief
CVE-2025-39808 describes a Linux kernel HID issue in ntrig_report_version() where a missing null check can let hid_to_usb_dev() operate on an invalid USB parent path and trigger a page fault. The advisory source maps this to Siemens SIMATIC CN 4100 v<5.0 and recommends updating to V5.0 or later. Published by CISA on 2026-05-12 and republished on 2026-05-14, it is best treated as a medium-priority availability fix.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Siemens SIMATIC CN 4100 operators, OT/ICS asset owners, and teams responsible for Linux-based device firmware or HID/USB input handling should review this advisory. Security teams should also verify whether any deployed systems use the affected component path described in the advisory and whether version V5.0 or later is installed.
Technical summary
The vulnerability text says that in ntrig_report_version(), a descriptor path sent to /dev/uhid can leave hdev->dev.parent->parent null. When hid_to_usb_dev(hdev) is then used by usb_rcvctrlpipe(), it may dereference an invalid address and cause a page fault. The resolved fix adds a null check before calling hid_to_usb_dev().
Defensive priority
Moderate. Prioritize this as a stability and availability fix, especially on systems that may process untrusted HID descriptors or rely on the affected kernel path. The stated remediation is to update to V5.0 or later.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, per the advisory remediation.
- Confirm whether your deployment uses the Linux kernel HID path referenced by ntrig_report_version() and document exposure.
- Review logs and crash reports for kernel page faults or USB/HID handling errors around the affected component.
- Coordinate patching during a maintenance window if the device is production OT/ICS infrastructure.
- Validate vendor guidance from Siemens and CISA before making changes in safety- or uptime-sensitive environments.
Evidence notes
Source timing is based on the advisory publication date of 2026-05-12 and CISA republication on 2026-05-14, not on generation time. The source advisory (ICSA-26-134-10) and Siemens ProductCERT reference both describe the Linux kernel HID/ntrig page-fault condition and the remediation to update to V5.0 or later. The vendor/product mapping in the supplied data is low confidence and appears inconsistent with the vulnerability text, so it should be reviewed before operational use.
Official resources
-
CVE-2025-39808 CVE record
CVE.org
-
CVE-2025-39808 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-26-134-10 on 2026-05-12, with a CISA republication/update on 2026-05-14. The source material ties the issue to Siemens ProductCERT advisory SSA-032379.