CVE-2025-39826 Cert Portal CVE debrief

Who should care

Operators and maintainers of affected Siemens SIMATIC CN 4100 deployments, embedded/OT teams that inherit Linux kernel components from vendor firmware, and Linux kernel/firmware administrators responsible for systems that may include the rose networking subsystem.

Technical summary

The advisory describes a race in the Linux kernel's rose subsystem: struct rose_neigh used an unsigned short 'use' field as a reference count without atomic protection. Under concurrent execution, rose_rt_ioctl() or related paths could reduce the count to zero while a timer or another code path still referenced the object, risking a use-after-free. The fix changes the field to refcount_t and updates callers to use rose_neigh_hold() and rose_neigh_put(), which provide atomic reference counting semantics.

Defensive priority

medium

Recommended defensive actions

• Apply the vendor remediation: update to V5.0 or later, per the Siemens advisory guidance.
• Verify whether any deployed Siemens SIMATIC CN 4100 or other affected images include the vulnerable Linux kernel components.
• Prioritize firmware/OS updates for embedded or OT devices that cannot be independently patched at the application layer.
• Review any monitoring or stability alerts for unexplained crashes that could indicate memory-safety issues in the affected kernel path.
• Track the linked CISA and Siemens advisories for any follow-up revision or product-scope clarification.

Evidence notes

The supplied source item and its references describe a Linux kernel net/rose reference-counting race that can lead to use-after-free. The metadata also maps the advisory to Siemens SIMATIC CN 4100 <5.0, but that product mapping is marked low confidence/needs review in the provided data. Timing context is based on the advisory's published date of 2026-05-12 and modified date of 2026-05-14. The issue is not listed in CISA KEV in the supplied enrichment.

Official resources