CVE-2025-38725
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.1.153 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's USB driver for asix_devices, specifically the ax88772 mdio bus. Without setting a phy_mask, the driver may create up to 32 mdio phy devices, but only one main phy device binds correctly. During system suspend/resume, the driver attempts to access a driver member of non-main phy devices, which can be NULL, leading to a NULL pointer dereference and potential system crash. The fix involves adding a phy_mask to limit the devices and avoid this issue.
How can this vulnerability impact me? :
This vulnerability can cause system instability or crashes during suspend or resume operations on affected Linux systems using the ax88772 mdio bus driver. Specifically, a NULL pointer dereference can occur, potentially leading to kernel panics or system hangs, impacting system availability and reliability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that adds phy_mask for the ax88772 mdio bus. This prevents the creation of multiple mdio phy devices and avoids the NULL pointer dereference issue during system suspend/resume. If possible, update your kernel to a version that contains this patch or apply the patch manually. Additionally, avoid using affected devices without the fix, such as the DLink DUB-E100 H/W Ver B1, until the kernel is updated.