Executive Summary

CVE-2026-31790 covers a set of memory safety defects in the Siemens SIMATIC CN 4100 communication node, including NULL pointer dereference, reachable assertion, use after free, and out-of-bounds write, all reachable through the device network stack on versions below 5.0. Because the CN 4100 functions as a communication aggregation point between train and trackside or plant network segments, exploitation degrades or drops the data path that operational systems depend on, converting a software fault into a physical availability event.

Technical Exposure Breakdown

The vendor advisory bundles several distinct memory corruption primitives under one identifier. This matters because the classes have different exploitation ceilings. A NULL pointer dereference and a reachable assertion produce a process crash or a controlled abort, which maps cleanly to denial of service. A use after free and an out-of-bounds write are more severe, since both can be shaped toward memory disclosure or, under the right heap conditions, arbitrary code execution on the node itself.

The vendor CVSS v3 rating for the equipment sits at 9.6, while the aggregate score carried in our database is 7.5. That gap is not a contradiction. The higher figure reflects the worst case among the bundled defects where confidentiality, integrity, and availability all fall. The lower figure reflects the more common network denial of service outcome. Operators should plan against the 9.6 scenario, not the average.

The attack vector is the network interface. No physical access is required, and the conditions for triggering the availability path are minimal: a crafted packet or malformed session against an exposed service on the CN 4100. Memory corruption bugs of this type frequently do not require authentication because they live in the parsing layer that runs before any credential check. That is the assumption operators should carry until Siemens documentation states otherwise.

OT Impact and Compliance Risk

The CN 4100 is a communication node, so the failure mode is loss of the transport layer rather than direct manipulation of a controller. In practice that is still a control impact. If the node carries telemetry, protection signaling, or command traffic between segments, a crash removes visibility and control for everything downstream of it. In rail and pipeline deployments this can force a fallback to degraded or manual operation.

For IEC 62443, this is a zone conduit failure. The CN 4100 typically sits on the boundary between security zones, and a network reachable defect in a conduit device undermines the zone separation the architecture assumes. Under NERC CIP, a communication node in scope as a BES Cyber Asset or associated EACMS pulls this into CIP-007 patch management and CIP-010 configuration timelines. Pipeline operators under TSA Security Directive Pipeline 2021-02C should map this to the required mitigation measures for critical cyber systems and log it in their remediation tracking. Water utilities running comparable Siemens infrastructure under AWIA 2018 obligations should treat this as a risk assessment trigger.

Compensating Controls

Patching to version 5.0 or later is the endpoint, but the update window for a communication node on a live segment is rarely short. Treat the following as the bridge.

BreachSpider Intel

BreachSpider tracks CVE-2026-31790 and the broader SIMATIC advisory stream against live OT asset context, so operators can see exposure and monitor for exploitation activity without touching a production node.