PatchSiren cyber security CVE debrief
CVE-2025-39827 Cert Portal CVE debrief
CVE-2025-39827 describes a reference-counting bug in the Linux kernel’s rose networking code that could let a rose_neigh object be freed while still referenced, resulting in a slab-use-after-free. The supplied CISA/Siemens advisory maps the issue to Siemens SIMATIC CN 4100 versions before 5.0 and credits Syzbot for reporting the problem.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators responsible for Siemens SIMATIC CN 4100 systems covered by the advisory, plus Linux kernel maintainers and teams that rely on the rose network stack in production or OT environments.
Technical summary
The issue comes from two reference-counting paths in struct rose_neigh: count for references from rose_node structures and use (now refcount_t) for references from rose_sock. The fix aligns these paths by incrementing and decrementing rose_neigh->use whenever rose_neigh->count changes, and by releasing rose_neigh references in rose_rt_free(), rose_rt_device_down(), and rose_clear_route() before rose_remove_node() frees a rose_node. This prevents rose_neigh objects from being freed while node-related references still exist, closing the slab-use-after-free condition described in the advisory.
Defensive priority
Medium priority. The published CVSS is 5.5 (local, low-privilege, high availability impact), so this is not the highest-severity class, but it is still a kernel memory-safety bug and should be patched promptly in affected Siemens-managed environments.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, per the vendor remediation.
- Confirm whether your deployment is covered by the Siemens advisory and inventory any systems running versions prior to 5.0.
- Schedule the update through normal OT maintenance controls and validate the change in a test or maintenance window before broad rollout.
- Track the upstream Linux kernel fix in your internal patch management process if you maintain embedded or customized kernel builds.
- Monitor vendor advisories and internal asset inventories for any additional products that inherit the same rose stack behavior.
Evidence notes
The supplied source item is CISA CSAF advisory ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14, and its description states the bug is a Linux kernel rose refcount issue that resolves a slab-use-after-free reported by Syzbot. The same source maps the advisory to Siemens SIMATIC CN 4100 versions before 5.0 and includes a vendor remediation to update to V5.0 or later. No KEV listing or active exploitation detail is present in the provided corpus.
Official resources
-
CVE-2025-39827 CVE record
CVE.org
-
CVE-2025-39827 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14. The source notes that Syzbot reported the slab-use-after-free condition.