CVE-2025-71094
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-03-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-71094
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.14
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.4 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.160 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.120 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.64 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.13.13 (inc) to 5.14 (exc)
linux linux_kernel From 5.14.1 (inc) to 5.15.198 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the ASIX driver in the Linux kernel, which reads the PHY address from a USB device. A malicious or faulty device can provide an invalid PHY address that is out of the expected range, causing a warning in the kernel's mdiobus code. The vulnerability is addressed by validating the PHY address before use to prevent such invalid addresses from causing issues.

Impact Analysis

If exploited, this vulnerability could cause warnings or potential instability in the Linux kernel's network driver subsystem when interacting with malicious or faulty USB devices. This could lead to degraded system reliability or unexpected behavior when using affected ASIX USB network devices.

Detection Guidance

You can detect this vulnerability by monitoring system logs for warnings related to the PHY address, specifically messages like 'addr 207 out of range' or 'WARNING: drivers/net/phy/mdio_bus.c:76'. Checking kernel logs with commands such as 'dmesg | grep mdio_bus' or 'journalctl -k | grep mdio_bus' may help identify the issue.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where the ASIX driver validates the PHY address before use, as the vulnerability has been resolved by adding validation in asix_read_phy_addr() and removing redundant checks. Until then, avoid using untrusted or potentially malicious USB devices that could trigger this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart