PatchSiren cyber security CVE debrief
CVE-2025-39828 Cert Portal CVE debrief
CVE-2025-39828 describes a Linux kernel ATM subsystem flaw in atmtcp_recv_control() where sendmsg()-originated messages were not adequately validated before reaching control handling. The advisory states this could let a local attacker abuse atmtcp_control handling to overwrite kernel pointers, which is why the issue was fixed by adding a pre_send() validation step. In the Siemens/CISA advisory set, the issue is associated with Siemens SIMATIC CN 4100 versions prior to 5.0, but the product mapping is marked low-confidence and should be reviewed before operational use.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Asset owners and operators using Siemens SIMATIC CN 4100 appliances or other deployments that include the affected Linux kernel ATM/atmtcp code path should care, especially teams responsible for patching, firmware validation, and local privilege-risk reduction.
Technical summary
The reported bug is in drivers/atm/atmtcp.c. The kernel uses a special atmtcp_control structure for both in-kernel and user-facing message flows. The advisory says vcc_sendmsg() could reach atmtcp_recv_control() without sufficient message-length validation, allowing a local sender to drive an arbitrary write against kernel pointer data. The fix introduces a new pre_send() hook so messages from sendmsg() are validated before they can reach the vulnerable control path.
Defensive priority
High. The supplied CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local attack that can still have full confidentiality, integrity, and availability impact if the affected path is reachable.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, per the vendor remediation note.
- Confirm whether your deployed firmware or kernel build includes the affected ATM/atmtcp code path.
- Limit local shell and application access on systems that expose the vulnerable kernel surface.
- Track Siemens ProductCERT advisory SSA-032379 and the CISA advisory ICSA-26-134-10 for vendor-specific remediation details.
- Validate that patching does not break any ATM-related functionality used by your deployment.
Evidence notes
Source corpus states that the issue was published by CISA on 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT SSA-032379. The advisory text explicitly says the problem is in the Linux kernel ATM atmtcp control path and that a new pre_send() hook was added to validate sendmsg() messages. The supplied advisory also lists the remediation as updating to V5.0 or later and provides CVSS 3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The product association 'Siemens SIMATIC CN 4100 vers:intdot/<5.0' is marked low confidence and needs review.
Official resources
-
CVE-2025-39828 CVE record
CVE.org
-
CVE-2025-39828 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA first published the advisory on 2026-05-12 and republished it on 2026-05-14 using Siemens ProductCERT SSA-032379 material. The issue itself is a Linux kernel vulnerability resolved upstream and then carried into the Siemens advisory as