PatchSiren cyber security CVE debrief
CVE-2025-39838 Cert Portal CVE debrief
CVE-2025-39838 describes a NULL pointer dereference in Linux kernel CIFS UTF-16 conversion. According to the advisory text, NULL can flow into cifs_strndup_to_utf16 and then into cifs_local_to_utf16_bytes, where a dereference of '*from' can crash the system. The documented fix adds a NULL check and returns early. The advisory was published by CISA on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT material. The source package ties the issue to Siemens SIMATIC CN 4100 versions before 5.0, so defenders should treat this as an availability-impacting issue for the affected product line while also noting the Linux-kernel-rooted technical description.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and operators responsible for Siemens SIMATIC CN 4100 devices, especially versions earlier than 5.0, and anyone maintaining systems that consume the cited Linux kernel CIFS code path. Security teams tracking ICS advisories should also review the CISA/Siemens notices for applicability.
Technical summary
The source advisory says NULL is passed into __cifs_sfu_make_node without validation, then forwarded to cifs_strndup_to_utf16 and cifs_local_to_utf16_bytes, where a NULL dereference can occur and crash the system. The fix is a defensive NULL check on the source argument in cifs_strndup_to_utf16, preventing the invalid dereference path. The supplied CVSS vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and score 7.0 indicate high severity, with practical impact centered on denial of service.
Defensive priority
High
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, as specified in the vendor remediation.
- Confirm whether any deployed systems match the affected product/version scope before scheduling maintenance.
- Review the CISA advisory and Siemens ProductCERT advisory SSA-032379 for applicability and any vendor-specific deployment guidance.
- Monitor affected systems for unexpected crashes or service interruptions consistent with a NULL pointer dereference.
- Ensure local access controls and change-management processes are in place for operational technology assets while remediation is planned.
Evidence notes
The supplied source item (CISA CSAF ICSA-26-134-10, published 2026-05-12 and modified 2026-05-14) states that a NULL pointer dereference in Linux kernel CIFS UTF-16 conversion can cause a crash, and that the fix adds a NULL check in cifs_strndup_to_utf16. The same source item maps the advisory to Siemens SIMATIC CN 4100 versions before 5.0 and lists remediation to update to V5.0 or later. Because the advisory was republished on 2026-05-14, that date should be treated as a republication/update date, not the original vulnerability date. The vendor/product attribution in the provided corpus is low-confidence and should be reviewed against the cited Siemens advisory pages.
Official resources
-
CVE-2025-39838 CVE record
CVE.org
-
CVE-2025-39838 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF source on 2026-05-12, with a CISA republication/update on 2026-05-14 that incorporated Siemens ProductCERT advisory material. No Known Exploited Vulnerabilities listing was provided in the source