CVE-2025-38736
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
Syzbot reported shift-out-of-bounds exception on MDIO bus initialization.
The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations.
Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the ASIX USB Ethernet driver lacked a PHY address mask, allowing out-of-bounds memory access during MDIO bus initialization.
Root
Cause
The vulnerability resides in the asix_devices driver within the Linux kernel's USB Ethernet subsystem. During MDIO bus initialization, the driver failed to properly mask PHY addresses. Without applying a mask of 0x1f (5 bits, valid range 0-31), invalid or out-of-range PHY addresses could be used. This oversight could trigger a shift-out-of-bounds exception, as demonstrated by a syzbot report [1][2].
Attack
Vector
An attacker with physical access to a USB port could connect a malicious USB device that presents itself as an ASIX-based Ethernet adapter. By supplying crafted descriptors or control requests, the attacker can force the driver to use an invalid PHY address, potentially causing memory corruption or a kernel panic. No network-based authentication is required; the attack surface is limited to local USB access.
Impact
A successful exploitation could lead to an out-of-bounds memory access, resulting in a denial of service (system crash or hang). In some configurations, this might be leveraged for privilege escalation or arbitrary code execution, though the primary risk is system instability. The vulnerability is rated High with a CVSS v3 score of 7.1.
Mitigation
The fix has been integrated into the Linux kernel stable tree and is introduced by commits that add the missing PHY address mask [2][3][4]. Users should apply the latest kernel updates from their distribution vendor. Siemens has also listed this CVE among affected products in advisory SSA-032379, urging updates for SIMATIC CN 4100 devices [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.12.43
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5cnvdPatch
- git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1cnvdPatch
- git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953envdPatch
- git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341nvdPatch
- git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49nvdPatch
- git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories