PatchSiren cyber security CVE debrief
CVE-2025-39866 Cert Portal CVE debrief
CVE-2025-39866 is a high-severity use-after-free in the Linux kernel writeback path, specifically in __mark_inode_dirty(). The supplied advisory material shows the bug can occur when the inode writeback context is switching and __mark_inode_dirty() races with wb_wakeup_delayed() after the old bdi_writeback has been released. CISA published the advisory on 2026-05-12 and republished it on 2026-05-14. The source corpus maps the issue to a Siemens SIMATIC CN 4100 advisory, but that product mapping is explicitly low-confidence and should be validated before assuming exposure.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Linux kernel maintainers, platform owners running Siemens SIMATIC CN 4100 deployments covered by SSA-032379/ICSA-26-134-10, and security teams responsible for systems using the affected writeback code path. Because the CVSS vector is local and low-privilege, teams should pay special attention to environments where local users or services can trigger file writes.
Technical summary
The advisory describes a race in fs/writeback: __mark_inode_dirty() can obtain a bdi_writeback that is in the middle of switching. The root cause summary in the source states that inode_switch_wbs_work_fn and inode_do_switch_wbs can release the old wb, after which wb_wakeup_delayed() still accesses that wb object, creating a use-after-free. The described fix is to hold the inode spinlock until wb_wakeup_delayed() has finished, closing the race between wb switching and delayed wakeup handling.
Defensive priority
High. The advisory scores the issue CVSS 3.1 7.8 (HIGH) with local attack vector, low privileges, and high confidentiality, integrity, and availability impact. Prioritize validation and patching for any exposed affected build.
Recommended defensive actions
- If your deployment matches the Siemens advisory, update to V5.0 or later as directed in the remediation guidance.
- Validate whether the affected Siemens SIMATIC CN 4100 image actually includes the vulnerable Linux kernel writeback code path before assuming exposure.
- Apply the vendor-provided fix or firmware update on a maintenance window and confirm the corrected build is running afterward.
- Inventory systems that permit local user or service activity that can trigger filesystem writes, since the CVSS vector is local and low-privilege.
- Monitor for kernel warnings, crashes, or instability around filesystem writeback activity while remediation is being planned.
- Cross-check the advisory documents at the official Siemens and CISA links for any product-specific backports or installation notes.
Evidence notes
The debrief is based only on the supplied CISA CSAF source item and its linked official references. The corpus includes the kernel root-cause summary, the fix summary, the CVSS vector, and the official publication/republication dates. The product mapping in the source is marked low-confidence and needs review, so the debrief avoids claiming exact exposure beyond what the advisory supports. No KEV entry is present in the supplied enrichment data.
Official resources
-
CVE-2025-39866 CVE record
CVE.org
-
CVE-2025-39866 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied source corpus via CISA ICS Advisory ICSA-26-134-10 on 2026-05-12, with a CISA republication of the Siemens ProductCERT advisory on 2026-05-14. The CVE issue date should be treated as the advisory's public/