CVE-2025-71196 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

phy: stm32-usphyc: Fix off by one in probe()

The "index" variable is used as an index into the usbphyc->phys[] array
which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/30/2026

The vulnerability identified as CVE-2025-71196 represents a classic buffer overflow condition within the Linux kernel's phy driver subsystem, specifically affecting the stm32-usphyc driver implementation. This issue manifests in the probe function where an index variable is improperly validated against array bounds, creating a potential for memory corruption and system instability. The vulnerability stems from a fundamental flaw in input validation where the comparison operator fails to account for the zero-based indexing nature of array access. The affected driver handles USB PHY (Physical Layer) controllers for stm32 microcontrollers, which are widely used in embedded systems and automotive applications where reliable operation is critical. The device tree configuration provides the index value that determines which physical USB controller to initialize, making this a configuration-dependent vulnerability that could be exploited through malicious device tree overlays or incorrect hardware configuration.

The technical implementation flaw resides in the comparison logic within the probe function where the index variable is checked against the array size using a greater-than operator instead of a greater-than-or-equal-to operator. The usbphyc->phys[] array contains usbphyc->nphys elements, meaning valid indices range from 0 to usbphyc->nphys-1. When the index equals usbphyc->nphys, it references memory beyond the allocated array bounds, creating a classic off-by-one error that can lead to memory corruption. This type of vulnerability maps directly to CWE-129, which addresses improper validation of array indices, and CWE-787, which covers out-of-bounds write operations. The flaw demonstrates a lack of proper boundary checking in kernel space code, where the assumption that device tree data is always valid leads to inadequate input sanitization. The vulnerability is particularly concerning because it occurs during driver initialization, potentially allowing an attacker to cause system crashes or, in more sophisticated scenarios, execute arbitrary code through memory corruption.

The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the integrity of embedded systems that rely on the stm32-usphyc driver. In automotive applications, industrial control systems, or network infrastructure devices using stm32 microcontrollers, this vulnerability could result in unexpected system behavior, denial of service, or even data corruption that affects critical operations. The attack surface is primarily through device tree manipulation, which means that any system allowing untrusted device tree modifications or configuration updates could be at risk. From an ATT&CK perspective, this vulnerability aligns with T1059.001 (Command and Scripting Interpreter: PowerShell) and T1547.001 (Registry Run Keys / Startup Folder) as potential attack vectors through device tree injection, and T1068 (Exploitation for Privilege Escalation) as the potential for privilege escalation through memory corruption. The vulnerability is particularly dangerous in environments where device tree overlays are used for configuration management, as these overlays could be modified to trigger the out-of-bounds access condition.

Mitigation strategies for CVE-2025-71196 should focus on immediate code fixes and defensive programming practices. The primary fix involves changing the comparison operator from > to >= in the index validation logic, ensuring that the index value never exceeds the maximum valid array index. This simple but critical change prevents the out-of-bounds memory access that could lead to system crashes or more severe consequences. System administrators should ensure that all Linux kernel versions containing the fix are deployed, particularly in embedded environments where device tree configurations are common. Additional defensive measures include implementing strict device tree validation policies, monitoring for unauthorized device tree modifications, and ensuring that only trusted sources can provide device tree configurations to affected systems. The vulnerability highlights the importance of proper input validation in kernel space code and demonstrates why even seemingly benign assumptions about data integrity can lead to serious security implications. Organizations should also consider implementing runtime monitoring for memory corruption patterns and maintain up-to-date kernel security patches to protect against similar vulnerabilities that may exist in other driver subsystems.

Responsible

Linux

Reservation

01/31/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00173

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!