CVE-2025-71094 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: validate PHY address before use
The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy():
addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability CVE-2025-71094 represents a critical validation issue within the Linux kernel's USB networking subsystem, specifically affecting the ASIX driver implementation. This flaw resides in the network interface driver responsible for managing USB-based Ethernet adapters manufactured by ASIX Electronics Corporation. The vulnerability stems from insufficient input validation during the initialization phase when the driver attempts to read the PHY (Physical Layer) address from a connected USB device through the asix_read_phy_addr() function. This function serves as the primary interface for establishing communication with the physical network hardware and determining its operational parameters.
The technical flaw manifests when a malicious or defective USB device responds to the address reading request with an invalid PHY address value that exceeds the maximum allowed address boundary defined by PHY_MAX_ADDR. This boundary typically represents the maximum number of supported PHY addresses within the MDIO (Media Dependent Interface) bus architecture. When such an invalid address is returned, the subsequent call to mdiobus_get_phy() generates a warning message indicating that the address is out of range, specifically showing "addr 207 out of range" in the kernel logs. This warning originates from the MDIO bus implementation at drivers/net/phy/mdio_bus.c line 76, indicating a fundamental failure in the address validation mechanism that should have been implemented at the driver level rather than relying on downstream validation.
The operational impact of this vulnerability extends beyond simple warning messages and represents a potential security risk within embedded systems and network infrastructure that rely on USB Ethernet adapters. Attackers could exploit this weakness by connecting malicious USB devices that deliberately return invalid PHY addresses, potentially causing denial of service conditions or enabling more sophisticated attack vectors. The vulnerability affects systems where the ASIX driver is used for USB network connections, including various embedded devices, IoT appliances, and portable computing systems that utilize USB-to-Ethernet adapters. The flaw demonstrates a classic security principle violation where input validation should occur at the point of data acquisition rather than relying on subsequent layers to detect and handle malformed data.
The fix implemented for CVE-2025-71094 addresses this issue by adding proper validation logic within the asix_read_phy_addr() function to ensure that any PHY address returned from the USB device falls within the acceptable range before proceeding with further operations. This approach aligns with the principle of defense in depth and follows established security practices for input validation as outlined in CWE-20, which covers "Improper Input Validation" in software security. The solution also removes redundant validation checks from ax88172a.c, streamlining the codebase and eliminating potential race conditions or inconsistent validation behaviors. This remediation follows the ATT&CK framework's concept of privilege escalation through system component manipulation, where an attacker could potentially exploit such validation gaps to gain unauthorized access to network operations or cause system instability.
The vulnerability classification places it within the broader category of driver-level security flaws that can impact network connectivity and system stability. The fix demonstrates proper software engineering practices by implementing validation at the appropriate layer of the software stack, ensuring that device drivers validate all inputs from external hardware before processing them. This approach prevents cascading failures where invalid data might propagate through multiple system components, ultimately leading to more severe security implications. The resolution also emphasizes the importance of proper error handling in embedded systems where hardware malfunctions or malicious devices might attempt to exploit validation gaps in network drivers. Organizations deploying Linux-based systems with USB networking capabilities should prioritize this patch to prevent potential exploitation scenarios that could lead to network disruption or unauthorized access to connected systems.