CVE-2022-39188 Siemens CVE debrief

Who should care

Operators and maintainers of the listed Siemens SCALANCE WAB/WAM/WUB/WUM devices, OT/ICS administrators responsible for patch planning, and security teams that track Linux-kernel-derived issues in embedded networking equipment.

Technical summary

The vulnerability is described as a race between unmap_mapping_range and munmap in include/asm-generic/tlb.h in Linux kernels before 5.19. Under the specific condition of VM_PFNMAP VMAs, a device driver can free a page while stale TLB entries remain, creating an availability-impacting memory-management flaw. The Siemens advisory maps this upstream Linux issue to 19 affected SCALANCE product identifiers and provides a vendor remediation path to V3.0.0 or later.

Defensive priority

Medium — plan a timely maintenance update to the vendor-fixed version, verify affected product coverage, and validate service behavior after patching.

Recommended defensive actions

• Identify whether any of the 19 Siemens SCALANCE product variants listed in the advisory are in your environment.
• Check the installed vendor/software version against Siemens remediation guidance and plan an upgrade to V3.0.0 or later.
• Schedule the update through normal OT maintenance/change-control processes and confirm operational compatibility after installation.
• Use CISA and Siemens advisory references to confirm the exact affected product IDs before deploying the fix.
• Apply ICS defense-in-depth practices around segmentation, access control, and monitoring as part of the update plan.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-044-09, the Siemens advisory references, and the CVE/NVD record links supplied in the source corpus. The CVE description and CVSS vector indicate a local, low-privilege, no-user-interaction issue with high availability impact and no stated confidentiality or integrity impact. The source corpus also provides a vendor fix statement: update to V3.0.0 or later. No KEV entry was supplied.

Official resources