PatchSiren cyber security CVE debrief
CVE-2025-39846 Cert Portal CVE debrief
CVE-2025-39846 is a medium-severity Linux kernel vulnerability described as a NULL pointer dereference in __iodyn_find_io_region(). The issue occurs when pcmcia_make_resource() returns NULL and the result is passed into pci_bus_alloc_resource() without a check, which can trigger a crash. The supplied advisory corpus ties the issue to Siemens SIMATIC CN 4100 metadata and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators responsible for Siemens SIMATIC CN 4100 systems covered by the advisory, and teams maintaining Linux-based systems that include the affected pcmcia code path. This is most relevant where availability matters and kernel crashes would disrupt operations.
Technical summary
The source description says __iodyn_find_io_region() assigns the return value of pcmcia_make_resource() to res and then uses it in pci_bus_alloc_resource(). Because pci_bus_alloc_resource() dereferences res, a failed allocation can lead to a NULL pointer dereference. The advisory's CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local issue with high availability impact.
Defensive priority
Medium. Prioritize patching in environments that rely on the affected Linux kernel component or the Siemens advisory's affected product line, especially where downtime is operationally significant.
Recommended defensive actions
- Apply the vendor remediation: update to V5.0 or later, as directed in the Siemens advisory.
- Inventory affected assets and confirm whether they are within the advisory scope before scheduling maintenance.
- Test and validate updates in a controlled environment, then deploy through normal change management.
- Monitor vendor and CISA advisories for any follow-up guidance or revised scope.
- Use standard defensive monitoring and resilience practices to reduce the impact of a kernel crash or reboot.
Evidence notes
The supplied source item is a CISA CSAF advisory published on 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT SSA-032379. The description explicitly identifies a Linux kernel NULL pointer dereference in pcmcia: __iodyn_find_io_region(), and the remediation states 'Update to V5.0 or later version.' No KEV listing or ransomware linkage is present in the supplied corpus. The vendor metadata provided with the prompt is low-confidence and should be treated as advisory metadata requiring review because it names Siemens SIMATIC CN 4100 while the vulnerability description itself is a Linux kernel fix.
Official resources
-
CVE-2025-39846 CVE record
CVE.org
-
CVE-2025-39846 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through the CISA CSAF advisory on 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT SSA-032379. The supplied corpus shows no KEV entry.