CVE-2025-38111

net/mdiobus: Fix potential out-of-bounds read/write access

Description

In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb
https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e
https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262
https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608
https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4
https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f
https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4

Frequently Asked Questions

What is the severity of CVE-2025-38111?
CVE-2025-38111 has not yet been assigned a CVSS score.
How to fix CVE-2025-38111?
To fix CVE-2025-38111, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38111 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38111 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38111?
CVE-2025-38111 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.