PatchSiren cyber security CVE debrief
CVE-2025-39841 Cert Portal CVE debrief
CVE-2025-39841 is a high-severity memory-safety flaw described in the Linux kernel lpfc deferred receive path. The advisory says the buffer was freed before its context pointer was cleared, creating a use-after-free window and possible double-free condition when concurrent paths inspect the same pointer. CISA’s advisory ties the issue to Siemens SIMATIC CN 4100 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Organizations running Siemens SIMATIC CN 4100 systems covered by the advisory, especially environments that rely on the affected Linux-kernel-based receive-path handling. OT/ICS teams, platform maintainers, and patch-management owners should prioritize review and upgrade planning.
Technical summary
The issue is a sequencing bug: the deferred receive path freed the RQ buffer first and only then cleared the context pointer under lock. That ordering can race with other locked paths, including ABTS and repost handling, which also inspect and release the same pointer. The advisory notes the repost path already follows the safer pattern of detaching the pointer under lock and freeing it after the lock is dropped; the deferred path should match that pattern. The published CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High. The advisory assigns CVSS 7.8 (HIGH), the flaw can affect availability and memory integrity, and remediation is available in the vendor advisory.
Recommended defensive actions
- Review whether Siemens SIMATIC CN 4100 deployments are in scope for the advisory and map affected versions.
- Apply the vendor remediation and upgrade to V5.0 or later as directed by Siemens/CISA.
- Prioritize patch planning for exposed or operationally critical systems because the impact is high if the flaw is reachable.
- Track CISA and Siemens advisories for any follow-up guidance or revised affected-version information.
- Validate asset inventories so affected product versions can be identified quickly during maintenance windows.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-134-10 (published 2026-05-12, republished 2026-05-14) and the linked Siemens ProductCERT advisory references. The source description explicitly states the buffer free/clear ordering bug, the concurrent-path race, and the remediation to update to V5.0 or later. Timing in this brief uses the supplied CVE publication and modification dates only.
Official resources
-
CVE-2025-39841 CVE record
CVE.org
-
CVE-2025-39841 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory first published 2026-05-12 and republished by CISA on 2026-05-14 with Siemens ProductCERT source material.