CVE-2025-39977 Siemens CVE debrief

Who should care

OT/ICS teams running the affected Siemens SIMATIC S7-1500 CPU family, especially environments using the additional GNU/Linux subsystem and any local shell or application-execution features. Security teams responsible for Linux-based embedded controllers should also track this advisory because the underlying bug is in futex handling.

Technical summary

The issue is a race in futex_wait_requeue_pi()/futex_requeue() where a thread can leave without using futex_q::lock_ptr for synchronization, creating a use-after-free risk around futex_q state. The described fix is to read futex_q::task before updating futex_q::requeue_state, using READ_ONCE semantics so the task pointer is captured before the state transition. The advisory references a local attack model (AV:L), low privileges (PR:L), and high impact to confidentiality, integrity, and availability.

Defensive priority

High

Recommended defensive actions

• Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
• Only build and run applications from trusted sources on affected systems.
• Treat the advisory as a no-fix condition for now and use compensating controls until Siemens publishes corrective guidance.
• Monitor Siemens ProductCERT SSA-082556 and CISA ICSA-25-162-05 for any future remediation updates.
• Limit local access to affected devices and review which users or services can reach the embedded Linux environment.

Evidence notes

The source corpus ties this CVE to Siemens advisory SSA-082556 / CISA advisory ICSA-25-162-05, with publication on 2025-06-10 and a latest republication update on 2026-05-14. The revision history shows CVE-2025-39977 was added to the advisory on 2026-01-13, so that later advisory date should not be confused with the CVE's publication date. The supplied data also states 'Currently no fix is available' and provides a CVSS 3.1 vector of AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Official resources