CVE-2025-38736

HIGH

Linux Kernel < 6.16 - Out-of-Bounds Read

Title source: rule

Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range.

References (7)

Core 7

Core References

Patch

https://git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5c

Patch

https://git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1c

Patch

https://git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953e

Patch

https://git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341

Patch

https://git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49

Patch

https://git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Scores

CVSS v3 7.1

EPSS 0.0002

EPSS Percentile 4.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-125

Status published

Products (6)

debian/debian_linux 11.0

linux/Kernel 6.12.43 - 6.12.44linux

linux/Kernel 6.16.2 - 6.16.4linux

linux/linux_kernel 6.12.43

linux/linux_kernel 6.17 rc2

linux/linux_kernel 6.15.11 - 6.16

Published Sep 05, 2025

Tracked Since Feb 18, 2026