CVE-2025-39865 Cert Portal CVE debrief

Who should care

Administrators and operators of Siemens SIMATIC CN 4100 systems, especially those running versions older than 5.0, should treat this as relevant. Linux kernel maintainers and embedded OT teams should also care because the flaw can cause a system-level crash in a privileged kernel path, which may disrupt availability.

Technical summary

The issue is a NULL pointer dereference in tee_shm_put reached from __optee_disable_shm_cache. The source text states that reg_pair_to_ptr(...) may return NULL, but the returned value is then used in tee_shm_free(shm) and tee_shm_put(shm), leading to a crash. The provided panic log and call trace show the fault occurring in tee_shm_put during optee_shutdown/platform_shutdown/device_shutdown, with the failure manifesting as a kernel oops/paging request. The advisory assigns CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High for affected deployments. While the advisory indicates local, low-privilege conditions with high attack complexity, the impact includes kernel crash and service interruption in an OT-adjacent product context. Availability loss in industrial or embedded environments can have outsized operational impact, so remediation should be prioritized on exposed systems.

Recommended defensive actions

• Update Siemens SIMATIC CN 4100 to V5.0 or later, per the vendor remediation guidance.
• Validate whether your deployed product/version mapping matches the advisory before and after remediation, since the provided product metadata is low-confidence and marked for review.
• Inventory systems that use the affected Linux kernel/OP-TEE path and determine whether shutdown, hibernate, or OP-TEE cache-disable workflows are present.
• Plan maintenance windows for updates because the observed failure occurs in a system power-management path that may be operationally sensitive.
• Monitor vendor and CISA advisory updates for any clarifications, especially if your environment depends on repackaged firmware or downstream kernel builds.
• Use standard OT defensive practices to reduce the blast radius of a crash-prone component, including segmentation, least privilege, and recovery planning.

Evidence notes

The debrief is based only on the supplied CISA CSAF source item and its cited official references. The source text explicitly states: a NULL pointer may be returned by reg_pair_to_ptr, tee_shm_put is called on that value, and the result is a crash. The embedded panic log and call trace corroborate kernel oops behavior in tee_shm_put. CISA’s advisory metadata lists the affected product as Siemens SIMATIC CN 4100 vers:intdot/<5.0 and the remediation as update to V5.0 or later. The CVSS vector provided in the source is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Official resources