CVE-2025-38111

EUVD-2025-19832

03.07.2025, 09:15

In the Linux kernel, the following vulnerability has been resolved:

net/mdiobus: Fix potential out-of-bounds read/write access

When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via mdiobus, there is no verification of
parameters passed to the ioctl and it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.

Fix that by adding address verification before read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.6 ≤ 𝑥 < 5.10.239
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.186
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.142
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.94
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.34
linux	linux_kernel	6.13 ≤ 𝑥 < 6.15.3
linux	linux_kernel	6.16:rc1
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
Siemens	SIMATIC S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIPLUS S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

linux-6.1

bullseye (security)

6.1.172-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

dlm-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-64kb

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.11.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.11.1 fixed

kernel-default

suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed

kernel-default-base

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1.150600.12.28.4 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1.150700.17.9.4 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1.150600.12.28.4 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1.150700.17.9.4 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1.150400.24.92.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1.150500.6.59.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1.150600.12.28.4 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1.150700.17.9.4 fixed

kernel-default-extra

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise workstation 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise workstation 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-docs

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.3 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.3 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.3 fixed

kernel-macros

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-source

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-source-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.11.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.11.1 fixed

kernel-syms

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.11.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.48.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.11.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.65.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

reiserfs-kmp-default

suse enterprise sap 15 SP7	6.4.0-150700.53.11.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.179.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.124.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.11.1 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e

https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f

https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4

https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb

https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262

https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4

https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

https://cert-portal.siemens.com/productcert/html/ssa-082556.html