PatchSiren cyber security CVE debrief
CVE-2025-39931 Siemens CVE debrief
CVE-2025-39931 is a Linux kernel af_alg state-handling flaw that can leave ctx->merge with stale data after an aborted af_alg_sendmsg call. On a later call, that bad state can trigger an invalid merge attempt and crash the affected Linux path. In the Siemens advisory, the issue is mapped to SIMATIC S7-1500 CPU family products that include an additional GNU/Linux subsystem.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT/ICS teams running the affected Siemens SIMATIC S7-1500 CPU family, especially operators who allow local shell or application access to the embedded GNU/Linux subsystem; vulnerability managers tracking local denial-of-service risks; and engineers responsible for firmware, subsystem hardening, and recovery planning.
Technical summary
The kernel function af_alg_sendmsg could abort on an error path without clearing ctx->merge, so the next invocation might reuse an invalid merge value from the prior loop. The fix resets ctx->merge to zero early in the loop, preventing stale state from causing a crash. The supplied CVSS vector indicates a local, low-privilege availability issue (AV:L/PR:L/A:H).
Defensive priority
Medium. The impact is availability rather than code execution, but the supplied Siemens advisory states no fix was available in the provided material, so compensating controls matter until remediation is issued.
Recommended defensive actions
- Restrict interactive shell access on the affected GNU/Linux subsystem to trusted personnel only.
- Only install and run applications from trusted sources on the affected systems.
- Track Siemens ProductCERT SSA-082556 and CISA ICSA-25-162-05 for vendor remediation updates.
- Treat unexplained crashes in the embedded Linux subsystem as a priority because the vulnerability can produce a denial of service.
- Apply CISA ICS recommended practices and general defense-in-depth controls for OT systems.
- Validate recovery procedures and maintenance access controls for the affected CPU family.
Evidence notes
The supplied corpus ties CVE-2025-39931 to CISA ICS advisory ICSA-25-162-05 and Siemens ProductCERT advisory SSA-082556. The advisory was published on 2025-06-10 and last updated on 2026-05-14. The description states that an error in af_alg_sendmsg can leave ctx->merge with garbage from a previous loop and cause a crash on the next entry. The remediation section in the supplied source says there is currently no fix available and recommends restricting shell access and using trusted sources. The corpus does not report KEV listing or active exploitation.
Official resources
-
CVE-2025-39931 CVE record
CVE.org
-
CVE-2025-39931 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA ICS Advisory ICSA-25-162-05 on 2025-06-10 and updated through 2026-05-14 in the supplied advisory history.