PatchSiren cyber security CVE debrief
CVE-2025-39817 Cert Portal CVE debrief
CVE-2025-39817 is a Linux kernel efivarfs memory-safety issue that can cause a slab-out-of-bounds read in efivarfs_d_compare. The supplied advisory says the bug was observed on kernel 6.6 and present on master, and that parallel lookups involving an invalid filename can lead to a negative guid value and an out-of-bounds memcmp. The fix is to validate guid before the comparison. CISA published the advisory on 2026-05-12 and republished Siemens ProductCERT material on 2026-05-14.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, embedded and OT system owners, and administrators of Siemens-listed assets should review whether their deployed images include the affected efivarfs code path. If your environment permits local users, containers, or workloads to exercise filesystem lookups on affected kernels, this deserves prompt attention.
Technical summary
The issue is in efivarfs_d_compare. When dentry->d_name.len is shorter than EFI_VARIABLE_GUID_LEN, the derived guid offset can become negative, allowing memcmp to read beyond the slab object during dentry comparisons. The source describes a trigger involving parallel lookups where an invalid dentry is added to the hash list and later retrieved for comparison. The published fix is to check guid before comparing.
Defensive priority
High. The source rates the issue CVSS 7.0 (HIGH) with local attack conditions and high impact potential. Prioritize remediation on systems that expose the affected kernel path to untrusted local activity or that ship the vulnerable kernel in embedded/OT deployments.
Recommended defensive actions
- Apply the vendor-fixed version or later. The supplied remediation says to update to V5.0 or later for the Siemens-listed product.
- Verify whether your deployed Linux kernels include the efivarfs fix for CVE-2025-39817, especially if you run 6.6-era or similar branches.
- Review local access paths and untrusted workload exposure on affected systems, because the source CVSS vector is local and requires local privileges.
- Use asset inventory to confirm whether the Siemens advisory mapping applies to your devices before planning remediation, because the supplied source marks the vendor/product mapping as low confidence.
- Monitor vendor and distro security updates for backported kernel fixes if you cannot move to a newer release immediately.
Evidence notes
The supplied source description states: "efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare" and explains that a short dentry name can make guid negative, leading to an out-of-bounds memcmp. The source also includes the CVSS vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H and identifies publication on 2026-05-12 with a modification/republication on 2026-05-14. The vendor/product mapping in the provided enrichment is marked low confidence and needs review, so the underlying Linux-kernel technical finding should be validated against your own asset context.
Official resources
-
CVE-2025-39817 CVE record
CVE.org
-
CVE-2025-39817 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in a CISA ICS advisory on 2026-05-12, with CISA republication of Siemens ProductCERT advisory material on 2026-05-14. The supplied enrichment does not mark this CVE as KEV-listed.