CVE-2025-38110
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2025
Last modified:
03/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access<br />
<br />
When using publicly available tools like &#39;mdio-tools&#39; to read/write data<br />
from/to network interface and its PHY via C45 (clause 45) mdiobus,<br />
there is no verification of parameters passed to the ioctl and<br />
it accepts any mdio address.<br />
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,<br />
but it is possible to pass higher value than that via ioctl.<br />
While read/write operation should generally fail in this case,<br />
mdiobus provides stats array, where wrong address may allow out-of-bounds<br />
read/write.<br />
<br />
Fix that by adding address verification before C45 read/write operation.<br />
While this excludes this access from any statistics, it improves security of<br />
read/write operation.