PatchSiren cyber security CVE debrief
CVE-2025-39718 Siemens CVE debrief
CVE-2025-39718 is a Linux kernel vsock/virtio vulnerability that can lead to an SKB overflow when a guest trusts a packet-header length that has not been validated against the receive buffer. In the CISA-republished Siemens advisory, the issue is tied to Siemens SIMATIC CN 4100 versions earlier than 5.0. The practical risk is memory corruption in guest-side packet handling, which can affect availability and potentially broader system integrity depending on how the affected code is deployed.
- Vendor
- Siemens
- Product
- SIMATIC CN 4100
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS teams running Siemens SIMATIC CN 4100 versions earlier than 5.0, Linux kernel maintainers, and virtualization administrators using virtio-vsock in guest environments should review this advisory. This is especially relevant where guest-to-host communication paths are present and versioned vendor remediation is available.
Technical summary
The flaw is in virtio-vsock receive handling. Prior to calling virtio_vsock_skb_rx_put(), the code validated only the virtqueue buffer size. The packet header length was then used as the skb_put() length argument, which can exceed the actual buffer and trigger an SKB overflow if the received header advertises a bad length. The published advisory describes this as a Linux kernel issue and maps it to Siemens SIMATIC CN 4100 < 5.0, with a fix to validate the packet-header length before the SKB is extended.
Defensive priority
High — the advisory is rated CVSS 7.6 (HIGH), affects packet handling in a kernel path, and has a vendor-provided version-based remediation for Siemens SIMATIC CN 4100.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, per the vendor remediation in the advisory.
- Inventory deployments to confirm whether any affected Siemens SIMATIC CN 4100 systems are running versions earlier than 5.0.
- Review virtualization and guest communication paths that use virtio-vsock and ensure the corrected software version is deployed.
- Follow the CISA ICS recommended practices and Siemens ProductCERT guidance for defensive hardening and operational change control.
- If you rely on the affected component, monitor for unexpected guest-side crashes or memory-corruption symptoms until remediation is complete.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-134-10, which republishes Siemens ProductCERT advisory SSA-032379. The source description states that only the virtqueue buffer size was validated before virtio_vsock_skb_rx_put(), while the packet-header length was later passed to skb_put(), creating a potential SKB overflow. The advisory was published on 2026-05-12 and republished on 2026-05-14; those dates are used here as advisory timing context, not as the underlying issue-creation date. The provided source also lists Siemens SIMATIC CN 4100 versions earlier than 5.0 and recommends updating to V5.0 or later.
Official resources
-
CVE-2025-39718 CVE record
CVE.org
-
CVE-2025-39718 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF ICSA-26-134-10 on 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT advisory SSA-032379.