CVE-2025-38110
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-11-20
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's net/mdiobus subsystem allows out-of-bounds read/write access when using tools like 'mdio-tools' to interact with network interface PHY devices via clause 45 (C45) mdiobus. The ioctl interface does not verify the mdio address parameter, allowing addresses beyond the supported 32 (PHY_MAX_ADDR) to be used. This can lead to out-of-bounds access in the stats array, potentially causing incorrect behavior or security issues. The fix adds address verification before C45 read/write operations to prevent this.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory access in the kernel, which may cause system instability, crashes, or potentially allow an attacker to manipulate kernel memory. This could compromise the security and reliability of the affected system, especially if untrusted users or processes can invoke the vulnerable ioctl calls.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch or update to the fixed Linux kernel version that includes the address verification for C45 read/write operations in net/mdiobus. This prevents out-of-bounds access by verifying mdio addresses before performing operations.