PatchSiren cyber security CVE debrief
CVE-2025-39849 Cert Portal CVE debrief
CVE-2025-39849 is a medium-severity memory-corruption issue described as a missing SSID-length bounds check in Linux kernel cfg80211 connection-result handling. The supplied advisory corpus maps the issue to Siemens SIMATIC CN 4100 versions earlier than 5.0 and recommends updating to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Siemens SIMATIC CN 4100 operators running versions earlier than 5.0, OT/industrial asset owners, and vulnerability management teams tracking CISA and Siemens advisories should review this issue. Linux platform maintainers supporting embedded or appliance-style deployments should also verify whether the affected component is present.
Technical summary
The source description says __cfg80211_connect_result() did not cap ssid->datalen at IEEE80211_MAX_SSID_LEN (32). According to the advisory text, an SSID longer than that limit could lead to memory corruption, so the fix adds bounds checking. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a locally reachable issue that primarily impacts availability.
Defensive priority
Medium. The issue is locally exploitable, has no known KEV listing in the supplied data, and the provided remediation is straightforward. It still deserves prompt review because the advisory text describes memory corruption and the CVSS availability impact is high.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, as stated in the supplied remediation.
- Inventory deployments to confirm whether any systems are running versions earlier than 5.0.
- Validate whether the referenced cfg80211 component is present in your build or firmware line before scheduling maintenance.
- Track the Siemens ProductCERT advisory SSA-032379 and the CISA ICS advisory for any follow-on updates or clarifications.
- Prioritize the patch in maintenance windows for exposed or operationally sensitive systems.
Evidence notes
The supplied source item is CISA CSAF ICSA-26-134-10, republished on 2026-05-14 as an initial republication of Siemens ProductCERT SSA-032379. Its description states that if ssid->datalen exceeds IEEE80211_MAX_SSID_LEN (32), it could lead to memory corruption and that bounds checking was added. The remediation field says to update to V5.0 or later. The enrichment data shows no KEV listing. Note: the source corpus contains a vendor/product mapping that appears inconsistent with the Linux-kernel-focused description, so the product attribution should be validated against the Siemens advisory before operational use.
Official resources
-
CVE-2025-39849 CVE record
CVE.org
-
CVE-2025-39849 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied source on 2026-05-12 and modified/republished on 2026-05-14. This debrief uses only the supplied source corpus and official references; the vendor/product mapping in the corpus should be treated as low-confidence.