{"id":"CVE-2025-71094","summary":"net: usb: asix: validate PHY address before use","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (\u003e= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n  addr 207 out of range\n  WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c.","modified":"2026-04-02T13:04:47.256921Z","published":"2026-01-13T15:34:54.669Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71094.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71094.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71094"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7e88b11a862afe59ee0c365123ea5fb96a26cb3b"},{"fixed":"fc96018f09f8d30586ca6582c5045a84eafef146"},{"fixed":"f5f4f30f3811d37e1aa48667c36add74e5a8d99f"},{"fixed":"38722e69ee64dbb020028c93898d25d6f4c0e0b2"},{"fixed":"98a12c2547a44a5f03f35c108d2022cc652cbc4d"},{"fixed":"bf8a0f3b787ca7c5889bfca12c60c483041fbee3"},{"fixed":"a1e077a3f76eea0dc671ed6792e7d543946227e8"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"4e4f3cb41d687bd64cd03358862b23c84d82329e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71094.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.14.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71094.json"}}],"schema_version":"1.7.5"}