PatchSiren cyber security CVE debrief
CVE-2025-39825 Cert Portal CVE debrief
CVE-2025-39825 is a race-condition issue described in the Linux kernel SMB client rename(2) path. The source advisory says the rename flow can widen the window for concurrent opens on the target file while handling deferred closes, outstanding I/O, and deleted open handles. The cited fix is to unhash the dentry earlier so concurrent opens are blocked before the rename completes. The source rates the issue CVSS 7.0 HIGH.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and security owners for systems that use the affected SMB client code, especially environments following the Siemens/CISA advisory for SIMATIC CN 4100. Because the source data maps a Linux kernel bug to a Siemens product with low confidence, asset owners should verify actual exposure before prioritizing remediation.
Technical summary
The advisory text describes a race during rename(2) in the Linux kernel SMB client. During rename handling, the client closes deferred closes, waits for outstanding I/O, and marks open handles deleted, which increases the chance that a concurrent open can land on the target file. The fix is to unhash the dentry in advance to prevent those concurrent opens. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High for confirmed affected deployments, because the source rates impact as high for confidentiality, integrity, and availability. Medium until exposure is confirmed in environments where the product mapping is uncertain. Treat this as a priority patch-and-verify item for any asset aligned to the advisory.
Recommended defensive actions
- Verify whether CVE-2025-39825 applies to your environment; the source data links the issue description to Linux kernel SMB client code, but the vendor/product fields name Siemens SIMATIC CN 4100 with low confidence.
- Apply the vendor remediation listed in the source: update to V5.0 or later if the Siemens advisory applies to the asset.
- Use the CISA and Siemens advisory references to confirm whether any revised guidance, affected versions, or follow-on notices have been issued.
- Review SMB client usage and apply defense-in-depth practices from CISA ICS guidance, including limiting unnecessary access paths where practical.
- Track the asset inventory for any systems that may rely on the affected code path so remediation can be validated after maintenance.
Evidence notes
Primary source: CISA CSAF advisory ICSA-26-134-10 published 2026-05-12 and modified 2026-05-14. The CISA revision history says version 2 was an initial CISA republication of Siemens ProductCERT SSA-032379. The source item text describes a Linux kernel SMB client rename(2) race, while the vendor/product fields identify Siemens SIMATIC CN 4100 vers:intdot/<5.0; that mismatch is why the vendor confidence is low and the product mapping needs review. The supplied data does not include a KEV entry or ransomware campaign use.
Official resources
-
CVE-2025-39825 CVE record
CVE.org
-
CVE-2025-39825 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2026-05-12 and republished by CISA on 2026-05-14 as part of Siemens ProductCERT SSA-032379. No KEV inclusion is provided in the source data, and the product association should be treated as a低