PatchSiren cyber security CVE debrief
CVE-2025-39860 Cert Portal CVE debrief
CVE-2025-39860 describes a race in the Linux kernel Bluetooth L2CAP socket cleanup path, specifically l2cap_sock_cleanup_listen(), that can result in a use-after-free. The advisory says concurrent socket handling could let two threads act on the same socket, causing a premature free and later access to freed memory. The supplied advisory rates the issue CVSS 7.1 (HIGH). It also maps the issue to Siemens SIMATIC CN 4100 versions earlier than 5.0, but that product association is flagged low-confidence and should be verified before actioning it as a product-specific exposure.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and security teams responsible for systems that include the affected Linux Bluetooth stack, especially environments referenced by the Siemens advisory mapping. Local-access risk matters here because the supplied CVSS vector indicates local attack conditions with low privileges.
Technical summary
The root cause is a locking race around Bluetooth accept-list cleanup. bt_accept_dequeue() normally runs under lock_sock(), but l2cap_sock_release() could invoke l2cap_sock_cleanup_listen() without the same protection, allowing two threads to reach the same socket during list iteration. The reported fix is to call l2cap_sock_cleanup_listen() under lock_sock() in l2cap_sock_release(). The supplied vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating local, low-privilege exploitation potential with high confidentiality and availability impact.
Defensive priority
High. Treat as urgent to evaluate and patch where applicable, because the flaw can trigger kernel memory corruption/use-after-free and the advisory assigns a HIGH severity score.
Recommended defensive actions
- Apply the vendor remediation to update to V5.0 or later where the Siemens mapping applies.
- Verify whether your environment actually uses the affected product mapping and whether the underlying Linux Bluetooth stack is present.
- Prioritize patch validation and rollout on systems that expose Bluetooth functionality or depend on kernel Bluetooth socket handling.
- Reduce exposure by disabling or restricting Bluetooth features where they are not operationally required.
- Monitor affected hosts for kernel instability, crashes, or other symptoms consistent with a use-after-free until remediation is complete.
Evidence notes
The source corpus is a CISA CSAF advisory republishing Siemens ProductCERT material for ICSA-26-134-10 / SSA-032379. The advisory text attributes the bug to a race in l2cap_sock_cleanup_listen() and includes the fix direction to invoke cleanup under lock_sock() in l2cap_sock_release(). The supplied data also records publication on 2026-05-12 and republication on 2026-05-14. No KEV listing is present in the supplied enrichment data. The Siemens product mapping is explicitly marked low-confidence/needs review.
Official resources
-
CVE-2025-39860 CVE record
CVE.org
-
CVE-2025-39860 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory publication date in the supplied record is 2026-05-12, with a republication/update on 2026-05-14 that incorporates Siemens ProductCERT material. The supplied enrichment data shows no KEV listing.