CVE Catalog

CVE-2025-38725

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

In the Linux kernel, the asix_devices driver for ASIX AX88772 USB Ethernet chips lacked a phy_mask setting for the MDIO bus. This caused up to 32 dummy PHY devices to be created, with only one binding to the network driver. During system suspend/resume, a NULL pointer dereference occurred in phy_state_machine(), leading to a crash.

Risk Assessment

The organization may experience system crashes (kernel panic) during suspend/resume operations on devices with ASIX AX88772 chips (e.g., DLink DUB-E100). This results in network unavailability and potential data loss.

Recommendation

Update the Linux kernel to a version containing the fix (commit adding phy_mask for ax88772). If an update is not possible, avoid using affected USB Ethernet devices in power management scenarios (suspend/resume).

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phydev->drv for non-main phy devices. Then NULL pointer dereference issue will occur. Due to only external phy or internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS