CVE-2025-39701
Description
In the Linux kernel, the following vulnerability has been resolved:
ACPI: pfr_update: Fix the driver update version check
The security-version-number check should be used rather than the runtime version check for driver updates.
Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one.
[ rjw: Changelog edits ]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, an ACPI pfr_update driver security check incorrectly used runtime version instead of security version, breaking firmware updates.
Vulnerability
Analysis
CVE-2025-39701 is a vulnerability in the Linux kernel's ACPI pfr_update driver, where the kernel's firmware update path performed a version check using the wrong value. Specifically, the driver used the runtime version number instead of the security-version-number when validating driver updates [1][2]. This flaw was introduced in the kernel's handling of Platform Firmware Runtime Update and was addressed by kernel stable backports [3][4].
Attack
Vector
The bug is triggered during the firmware update process. When a user or system attempts to apply a driver update binary, the kernel compares the binary's version against the currently installed firmware version. Because the incorrect version field was checked, an update that has a lower runtime version number than the current runtime version would be rejected, even if the security version met the necessary criteria. This prevents legitimate security updates from being applied. The vulnerability is exploitable locally by an attacker with sufficient privileges to initiate a platform firmware update (which typically requires root access). However, the more direct impact is on the integrity of the update mechanism itself.
Impact
The primary consequence is denial of service for firmware updates: a legitimate update may fail to install, leaving the system running outdated firmware. If an attacker can control the update binary, they might also craft a binary with a high runtime version that bypasses security version requirements, potentially downgrading security protections. The CVE is rated High (CVSS 7.8) due to the potential for local privilege escalation or compromise of firmware integrity [2], though the description emphasizes the update failure scenario.
Mitigation
Linux kernel stable releases have been patched to use the security-version-number for the driver update check, as seen in multiple stable kernel commits [3][4]. Users should update their kernel to a version containing the fix (e.g., commit b00219888c11 or any later backport). The Siemens advisory lists this CVE as affecting SIMATIC CN 4100 devices, with all versions before V5.0 being impacted. For affected products, apply the vendor-supplied firmware update when available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/79300ff532bccbbf654992c7c0863b49a6c3973cnvdPatch
- git.kernel.org/stable/c/8151320c747efb22d30b035af989fed0d502176envdPatch
- git.kernel.org/stable/c/908094681f645d3a78e18ef90561a97029e2df7bnvdPatch
- git.kernel.org/stable/c/b00219888c11519ef75d988fa8a780da68ff568envdPatch
- git.kernel.org/stable/c/cf0a88124e357bffda487cbf3cb612bb97eb97e4nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories