CVE-2025-38736

EUVD-2025-31553

05.09.2025, 18:15

In the Linux kernel, the following vulnerability has been resolved:

net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization

Syzbot reported shift-out-of-bounds exception on MDIO bus initialization.

The PHY address should be masked to 5 bits (0-31). Without this
mask, invalid PHY addresses could be used, potentially causing issues
with MDIO bus operations.

Fix this by masking the PHY address with 0x1f (31 decimal) to ensure
it stays within the valid range.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.15.11 ≤ 𝑥 < 6.16
linux	linux_kernel	6.16.2 ≤ 𝑥 < 6.16.4
linux	linux_kernel	6.12.43
linux	linux_kernel	6.17:rc2
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.162-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.249-1 fixed
forky	6.18.15-1 fixed
sid	6.19.6-1 fixed
trixie	6.12.63-1 fixed
trixie (security)	6.12.73-1 fixed

linux-6.1

bullseye (security)

6.1.162-1~deb11u1

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5c

https://git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1c

https://git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953e

https://git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341

https://git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49

https://git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html