CVE-2025-39853

Vulnerability

CVE-2025-39853 is a bug in the Linux kernel's i40e network driver. The root cause is the use of list_first_entry() on a MAC address list that may be empty. Unlike list_first_entry_or_null(), list_first_entry() does not return NULL for an empty list; it returns a pointer to an invalid object, leading to potential invalid memory access when that pointer is dereferenced [1][2].

Exploitation

An attacker with local access or the ability to trigger the vulnerable code path (e.g., by manipulating network configuration) could cause the driver to dereference a dangling pointer. No special privileges beyond those needed to interact with the i40e driver are required, but the attack surface is limited to systems using the affected Intel Ethernet Controller XL710 (i40e) driver.

Impact

Successful exploitation could result in a denial of service (system crash) or, in some cases, arbitrary code execution in kernel context, depending on memory layout and the memory layout. The CVSS v3 base score is 7.1 (High), indicating significant potential for confidentiality, integrity, and availability impact [1].

Mitigation

The fix has been applied in the Linux kernel stable tree, replacing list_first_entry() with list_first_entry_or_null() [3][4]. Users should update to a patched kernel version. Siemens has also listed this CVE as affecting SIMATIC CN 4100 devices (all versions < V5.0) and recommends updating to V5.0 or later [1].