PatchSiren cyber security CVE debrief
CVE-2025-39824 Cert Portal CVE debrief
CVE-2025-39824 appears in a CISA CSAF advisory published on 2026-05-12 and republished on 2026-05-14. The advisory maps the issue to Siemens SIMATIC CN 4100 versions before 5.0 and recommends updating to V5.0 or later. However, the embedded vulnerability text describes a Linux kernel HID use-after-free condition triggered by a crafted HID descriptor, so the product-to-vulnerability mapping in this source should be validated before operational decisions are made.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of Siemens SIMATIC CN 4100 deployments, OT security teams, and asset owners that allow connection of external HID devices. Because the source record is internally inconsistent, vulnerability triage should include confirming whether the advisory truly applies to the deployed Siemens device and software version.
Technical summary
The source description says the issue is a use-after-free in Linux kernel HID input handling. During hid_hw_start(), hidinput_connect() processes reports and may free an input device if capability bitmaps are never populated; later writes to the freed device name can trigger a UAF. The advisory text states that a malicious HID device with a specially crafted descriptor can trigger the condition. The source also provides a CVSS v3.1 vector of AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 7.0.
Defensive priority
High for any environment that matches the Siemens advisory scope or that accepts untrusted HID peripherals; otherwise, treat as a validation-priority issue because the source record’s product and vulnerability descriptions do not align cleanly.
Recommended defensive actions
- Verify whether your environment includes Siemens SIMATIC CN 4100 systems at versions earlier than V5.0.
- Apply the vendor-recommended update to V5.0 or later where applicable.
- Confirm the advisory/product mapping against Siemens ProductCERT and CISA references before scheduling remediation.
- Restrict physical access to systems that can accept external HID devices and limit attachment of untrusted peripherals.
- Follow CISA industrial control system recommended practices for segmentation, access control, and defense in depth.
Evidence notes
Source item metadata identifies CISA CSAF advisory ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14 with Siemens ProductCERT SSA-032379 content. The advisory metadata lists productNames as Siemens / SIMATIC CN 4100 / vers:intdot/<5.0 and remediates with "Update to V5.0 or later version." The vulnerability description embedded in the record is truncated, but it clearly discusses a Linux kernel HID asus use-after-free triggered by a crafted HID descriptor and includes a KASAN splat. Because the product mapping and vulnerability narrative conflict, this record should be treated as low-confidence and validated against the vendor advisory.
Official resources
-
CVE-2025-39824 CVE record
CVE.org
-
CVE-2025-39824 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF record for CVE-2025-39824 on 2026-05-12 and republished it on 2026-05-14 with Siemens ProductCERT SSA-032379 advisory content. The record does not indicate KEV inclusion. Because the source mixes Siemens SIMATIC CN 4