CVE-2025-71196
Description
In the Linux kernel, the following vulnerability has been resolved:
phy: stm32-usphyc: Fix off by one in probe()
The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel USB PHY driver contains an off-by-one array bounds check that could be triggered by a malformed device tree entry.
Vulnerability
In the Linux kernel's STM32 USBPHYC driver (phy-stm32-usphyc), the probe() function validates an index property from the device tree against the number of PHY instances (usbphyc->nphys). The check uses > when it should use >=, allowing index == usbphyc->nphys to pass validation. Since the array usbphyc->phys[] has indices 0 through nphys-1, this off‑by‑one error can cause an out‑of‑bounds access [1][2].
Exploitation
The index value is read from the device tree, which is typically trusted firmware data. An attacker with the ability to supply a malicious device tree (e.g., through a compromised bootloader or firmware update) could set index equal to nphys. The driver would then access usbphyc->phys[index], reading or writing beyond the allocated array [1][2]. No further authentication or network access is needed once the malicious device tree is loaded.
Impact
This out‑of‑bounds access can lead to memory corruption, potentially causing a system crash or, under specific conditions, enabling arbitrary code execution in the kernel context. The bug is classified as a low‑severity issue because it requires control over the device tree, which is not a common attack vector [1].
Mitigation
The fix changes the comparison from > to >=, ensuring that an index equal to nphys is rejected. The patch has been applied to the stable kernel trees [1][2]. Users should update to a kernel version containing the fix to eliminate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2cnvd
- git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051nvd
- git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7nvd
- git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72badnvd
- git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cdnvd
- git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15anvd
- git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81afnvd
News mentions
0No linked articles in our index yet.