PatchSiren cyber security CVE debrief
CVE-2025-39839 Cert Portal CVE debrief
CVE-2025-39839 is a medium-severity Linux kernel flaw in batman-adv network-coding decode. The issue occurs because batadv_nc_skb_decode_packet() trusts coded_len, checks only against skb->len, and does not verify the source skb length before XOR operations. That can lead to an out-of-bounds read and a small out-of-bounds write when the payload bounds are exceeded. The source advisory published on 2026-05-12 and was republished by CISA on 2026-05-14 with Siemens product mapping that should be treated as low-confidence and verified against vendor guidance.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, administrators, and platform teams that enable batman-adv network coding should review this issue. Security and operations teams supporting Siemens SIMATIC CN 4100 should also check the Siemens/CISA advisory path, but the product mapping in the source item is marked low confidence and needs review before treating it as confirmed exposure.
Technical summary
According to the source description, batadv_nc_skb_decode_packet() validates coded_len only against the destination skb length. The XOR logic starts after sizeof(struct batadv_unicast_packet), which reduces the available payload headroom, and the source skb length is not checked. If coded_len is larger than the actual payload area in either skb, the function can read past the source buffer and write past the destination payload region. The supplied CVSS vector indicates local attack conditions with low privileges and no user interaction, and availability is the primary impact.
Defensive priority
Medium priority. Patch and verify exposure promptly on systems that include the affected batman-adv code path, and treat the Siemens product mapping as provisional until confirmed by the vendor advisory.
Recommended defensive actions
- Apply the vendor-provided fix path: update to V5.0 or later if the Siemens advisory mapping applies to your environment.
- Review any Linux kernel builds that include batman-adv network coding and confirm whether the patched code is present.
- Inventory systems using batman-adv or related networking features to determine practical exposure.
- Validate that coded_len is bounded by the payload area of both destination and source sk_buffs in any downstream or custom integrations.
- Use the Siemens and CISA advisories as primary references for product-specific remediation guidance.
- Document the vendor/product mapping as low-confidence until it is confirmed by the owning vendor or asset inventory.
Evidence notes
Primary evidence comes from the supplied CISA CSAF source item and its embedded description: batadv_nc_skb_decode_packet() trusts coded_len, checks only against skb->len, and lacks a source skb length check before XORing, causing out-of-bounds read/write. Timing context is based on the supplied CVE/source dates: published 2026-05-12 and modified/republished 2026-05-14. The vendor/product association in the source item is explicitly low confidence and flagged needsReview, so it should not be treated as definitive without corroboration.
Official resources
-
CVE-2025-39839 CVE record
CVE.org
-
CVE-2025-39839 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published on 2026-05-12 and republished/updated on 2026-05-14. No exploit code or offensive reproduction steps are included here.