PatchSiren cyber security CVE debrief
CVE-2025-39853 Cert Portal CVE debrief
CVE-2025-39853 describes a potential invalid memory access when an i40e MAC list is empty and code dereferences the result of list_first_entry(). The fix changes this to list_first_entry_or_null(), which avoids dereferencing an invalid pointer when the list has no entries. The supplied advisory metadata associates the issue with Siemens SIMATIC CN 4100 vers:intdot/<5.0, so applicability should be validated carefully before actioning the remediation.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators of Siemens SIMATIC CN 4100 systems named in the advisory, and teams maintaining Linux kernel networking components that rely on i40e MAC list handling, should review exposure and patch status. Security and operations teams responsible for industrial network appliances should also verify whether the advisory mapping matches their deployed software stack.
Technical summary
The vulnerability is a potential out-of-bounds/invalid access condition caused by using list_first_entry() on an empty list. In Linux kernel list APIs, list_first_entry() does not return NULL for an empty list; it yields a pointer that can become unsafe if dereferenced. The corrective change is to use list_first_entry_or_null() so the empty-list case is handled safely. The source advisory bundle lists CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local-impact availability issue.
Defensive priority
Medium
Recommended defensive actions
- Apply the vendor remediation and update to V5.0 or later as listed in the advisory.
- Confirm whether your deployed product or firmware actually matches the Siemens SIMATIC CN 4100 advisory scope before prioritizing work.
- Review any code or configurations that iterate over MAC lists and ensure empty-list handling is safe.
- Track the Siemens/CISA advisory references for any clarification or republished details affecting scope.
Evidence notes
Published in the supplied CISA CSAF source on 2026-05-12 and republished on 2026-05-14. The advisory text states: "list_first_entry() never returns NULL" and that an empty list can lead to potential invalid memory access when dereferenced; the fix is to use list_first_entry_or_null instead of list_first_entry. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The corpus also contains a source-level mismatch: the product metadata names Siemens SIMATIC CN 4100 vers:intdot/<5.0, while the vulnerability description is for the Linux kernel i40e path, so product applicability should be validated manually.
Official resources
-
CVE-2025-39853 CVE record
CVE.org
-
CVE-2025-39853 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF advisory on 2026-05-12 and republished on 2026-05-14; no KEV listing is included in the supplied data.