PatchSiren cyber security CVE debrief
CVE-2025-39847 Cert Portal CVE debrief
CVE-2025-39847 describes a Linux kernel PPP memory leak in pad_compress_skb(). If alloc_skb() fails, the function can return NULL before the old skb reference is safely preserved, so the caller’s cleanup path no longer frees the original buffer. The published fix changes the ownership flow to match realloc-style behavior: only release the old skb after the new allocation and compression succeed, and keep the original skb available on failure.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, downstream distributors, and operators of systems that include the affected PPP code path should review this issue. Because the supplied advisory metadata maps the CVE into a Siemens/CISA advisory record, recipients of that advisory should also verify whether the product mapping applies to their environment.
Technical summary
The source corpus says pad_compress_skb() could lose the reference to the original skb when alloc_skb() fails, resulting in a memory leak because kfree_skb(skb) is called on a NULL value after the pointer has already been overwritten. The remedial change is to preserve the original skb in a separate variable until the new allocation and compression succeed. The CVSS vector in the corpus is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with an availability-focused issue.
Defensive priority
Medium. The issue is non-remote and availability-focused, but memory leaks can still matter on long-running or resource-constrained systems. Prioritize if you operate affected kernels or rely on the advisory’s mapped product line.
Recommended defensive actions
- Apply the vendor remediation listed in the source corpus: update to V5.0 or later, or the equivalent fixed release in your distribution.
- Verify whether your deployment actually matches the advisory’s product mapping before scheduling maintenance, because the supplied metadata is internally inconsistent with the Linux kernel description.
- Track the CISA and Siemens advisory references for any revised product scope, corrected mappings, or updated fix guidance.
- If you maintain downstream kernel builds, confirm the skb ownership change is present in your patch level and backport set.
- Review resource-monitoring and alerting for long-running systems where repeated leaks could affect availability.
Evidence notes
The corpus contains a direct vulnerability description stating that pad_compress_skb() can leak memory when alloc_skb() fails and the caller loses the original skb reference. It also includes the published and modified dates of 2026-05-12 and 2026-05-14, a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and a vendor remediation pointing to version V5.0 or later. The source metadata also appears to map the CVE to Siemens SIMATIC CN 4100 despite the Linux kernel description, so the product association should be treated cautiously.
Official resources
-
CVE-2025-39847 CVE record
CVE.org
-
CVE-2025-39847 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the source advisory on 2026-05-12 and republished it on 2026-05-14. The supplied corpus does not list this CVE in CISA KEV.