CVE-2025-38110 (GCVE-0-2025-38110)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21
VLAI?
Title
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a , < abb0605ca00979a49572a6516f6db22c3dc57223 (git)
Affected: 4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a , < 31bf7b2b92563a352788cf9df3698682f659bacc (git)
Affected: 4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a , < 4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7 (git)
Affected: 4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a , < 260388f79e94fb3026c419a208ece8358bb7b555 (git)
Create a notification for this product.
Linux Linux Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abb0605ca00979a49572a6516f6db22c3dc57223",
              "status": "affected",
              "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a",
              "versionType": "git"
            },
            {
              "lessThan": "31bf7b2b92563a352788cf9df3698682f659bacc",
              "status": "affected",
              "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a",
              "versionType": "git"
            },
            {
              "lessThan": "4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7",
              "status": "affected",
              "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a",
              "versionType": "git"
            },
            {
              "lessThan": "260388f79e94fb3026c419a208ece8358bb7b555",
              "status": "affected",
              "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:27.158Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abb0605ca00979a49572a6516f6db22c3dc57223"
        },
        {
          "url": "https://git.kernel.org/stable/c/31bf7b2b92563a352788cf9df3698682f659bacc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7"
        },
        {
          "url": "https://git.kernel.org/stable/c/260388f79e94fb3026c419a208ece8358bb7b555"
        }
      ],
      "title": "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38110",
    "datePublished": "2025-07-03T08:35:19.928Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-11T21:21:27.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38110",
      "date": "2026-05-22",
      "epss": "0.00067",
      "percentile": "0.20697"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38110\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-03T09:15:24.680\",\"lastModified\":\"2025-11-20T21:36:19.313\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\\n\\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\\nthere is no verification of parameters passed to the ioctl and\\nit accepts any mdio address.\\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\\nbut it is possible to pass higher value than that via ioctl.\\nWhile read/write operation should generally fail in this case,\\nmdiobus provides stats array, where wrong address may allow out-of-bounds\\nread/write.\\n\\nFix that by adding address verification before C45 read/write operation.\\nWhile this excludes this access from any statistics, it improves security of\\nread/write operation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mdiobus: Arregla el potencial acceso de lectura/escritura fuera de los l\u00edmites de la cl\u00e1usula 45 Cuando se usan herramientas disponibles p\u00fablicamente como \u0027mdio-tools\u0027 para leer/escribir datos desde/hacia la interfaz de red y su PHY a trav\u00e9s de C45 (cl\u00e1usula 45) mdiobus, no hay verificaci\u00f3n de los par\u00e1metros pasados a ioctl y acepta cualquier direcci\u00f3n mdio. Actualmente hay soporte para 32 direcciones en el kernel a trav\u00e9s de la definici\u00f3n PHY_MAX_ADDR, pero es posible pasar un valor m\u00e1s alto que ese a trav\u00e9s de ioctl. Si bien la operaci\u00f3n de lectura/escritura generalmente deber\u00eda fallar en este caso, mdiobus proporciona una matriz de estad\u00edsticas, donde la direcci\u00f3n incorrecta puede permitir lectura/escritura fuera de los l\u00edmites. Arregla eso agregando la verificaci\u00f3n de direcci\u00f3n antes de la operaci\u00f3n de lectura/escritura C45. Si bien esto excluye este acceso de cualquier estad\u00edstica, mejora la seguridad de la operaci\u00f3n de lectura/escritura.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.3\",\"versionEndExcluding\":\"6.6.94\",\"matchCriteriaId\":\"2F32A46D-A3D6-46B7-841B-D6FED06301AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.34\",\"matchCriteriaId\":\"4FFA54AA-CDFE-4591-BD07-72813D0948F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.3\",\"matchCriteriaId\":\"0541C761-BD5E-4C1A-8432-83B375D7EB92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D4894DB-CCFE-4602-B1BF-3960B2E19A01\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/260388f79e94fb3026c419a208ece8358bb7b555\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/31bf7b2b92563a352788cf9df3698682f659bacc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abb0605ca00979a49572a6516f6db22c3dc57223\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.