PT-2025-36266 · Linux+3 · Linux+3

Syzbot

Published

2025-01-01

Updated

2026-03-13

CVE-2025-38736

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions linux (affected versions not specified)

Description The Linux kernel contained a flaw in the USB/ASIX device driver where the PHY address was not properly masked during MDIO bus initialization. This could lead to shift-out-of-bounds exceptions and potential issues with MDIO bus operations due to the use of invalid PHY addresses. The fix involves masking the PHY address with 0x1f to ensure it remains within the valid range of 0-31.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Out of bounds Read

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-665

Related Identifiers

BDU:2026-02726

CVE-2025-38736

DLA-4328-1

DSA-6008-1

DSA-6009-1

ECHO-F55A-88E1-5789

OPENSUSE-SU-2025:20081-1

SUSE-SU-2025:03600-1

SUSE-SU-2025:03634-1

SUSE-SU-2025:20851-1

SUSE-SU-2025:20861-1

SUSE-SU-2025:20870-1

SUSE-SU-2025:20898-1

SUSE-SU-2025:21074-1

SUSE-SU-2025:21139-1

SUSE-SU-2025:21179-1

SUSE-SU-2025:3751-1

SUSE-SU-2025:4057-1

SUSE-SU-2025:4132-1

SUSE-SU-2025:4141-1

Affected Products

Astra Linux

Debian

Linux

Suse

PT-2025-36266 · Linux+3 · Linux+3

CVE-2025-38736

Weakness Enumeration

Related Identifiers

Affected Products

References · 2127