PatchSiren cyber security CVE debrief
CVE-2025-39812 Cert Portal CVE debrief
CVE-2025-39812 is documented in a CISA-republished Siemens advisory as an uninitialized-field issue in Linux kernel SCTP IPv6 handling. The reported bug leaves sin6_scope_id and sin6_flowinfo insufficiently initialized in sctp_v6_from_sk(), which can trigger undefined behavior and KMSAN uninit-value reports during SCTP address comparison and listen-path processing. The source corpus ties the advisory to Siemens SIMATIC CN 4100, but the vulnerability description itself is for the Linux kernel, so applicability should be verified before acting.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Teams responsible for Siemens SIMATIC CN 4100 deployments, as well as administrators or engineers tracking Linux kernel SCTP behavior on affected systems, should review this advisory. Because the source corpus contains a product-description mismatch, asset owners should confirm whether the advisory applies to their environment before prioritizing remediation.
Technical summary
The advisory text says sctp_v6_from_sk() did not properly initialize sin6_scope_id and sin6_flowinfo. That can propagate uninitialized data into SCTP IPv6 address comparison logic, where the supplied KMSAN trace shows __sctp_v6_cmp_addr(), sctp_inet6_cmp_addr(), and related bind/listen paths observing an uninitialized value. The remediation listed in the source corpus is to update to V5.0 or later. The advisory metadata, however, associates this CVE with Siemens SIMATIC CN 4100 while the description is clearly a Linux kernel SCTP fix, so the product scope should be validated against the vendor advisory.
Defensive priority
Medium
Recommended defensive actions
- Verify whether your asset inventory includes Siemens SIMATIC CN 4100 systems referenced by SSA-032379 / ICSA-26-134-10.
- If the advisory applies, update to V5.0 or later as stated in the Siemens remediation.
- Check the Siemens ProductCERT and CISA advisory pages to confirm product scope and affected versions before making changes.
- Review systems for SCTP-related stability or memory-safety findings consistent with uninitialized-value behavior.
- Treat the advisory mapping as low-confidence until the Linux-kernel description and Siemens product identification are reconciled.
Evidence notes
Timing context: the CISA source item and CVE record were published on 2026-05-12 and modified on 2026-05-14; the 2026-05-14 update reflects republication of Siemens ProductCERT SSA-032379 material. The source corpus explicitly states the Linux kernel SCTP fix: initialize more fields in sctp_v6_from_sk(), clear sin6_scope_id and sin6_flowinfo, and KMSAN observed an uninit-value in __sctp_v6_cmp_addr() and related SCTP listen/bind paths. At the same time, the advisory metadata identifies the product as Siemens SIMATIC CN 4100 vers:intdot/<5.0, creating a product-mapping inconsistency that warrants manual review. The provided CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a medium severity rating focused on availability.
Official resources
-
CVE-2025-39812 CVE record
CVE.org
-
CVE-2025-39812 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published CVE-2025-39812 in ICSA-26-134-10 on 2026-05-12 and republished the advisory on 2026-05-14 with Siemens ProductCERT SSA-032379 material.