CVE-2025-38736 | net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range.

Published: 2025-09-05 Last update: 2026-05-12 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2025-38736

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2025-38736 is rated Low Risk (30.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-38736

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-09-06	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38736

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.1	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.2	[email protected]

Weakness enumeration for CVE-2025-38736

CWE-125 MITRE ↗

GitHub Security Advisory for CVE-2025-38736

GHSA-9pqv-7h63-32cr · Severity: high — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix...

OS Trackers for CVE-2025-38736

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-38736 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-38736
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2025-38736
`suse`	medium	CVE-2025-38736 severity moderate: SUSE including 469 source package names (2.1.3-6.80:kernel-default-base-6.4.0-35.1.21.12, 2.1.3-7.57:kernel-default-6.4.0-35.1, …), 1064 product×package rows across 212 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (212 product lines)): Fixed 619, Known Affected 231, Known Not Affected 193, First Fixed 21.	https://www.suse.com/security/cve/CVE-2025-38736/
`ubuntu`	medium	CVE-2025-38736 medium priority: Ubuntu including 144 source packages (linux, linux-allwinner-5.19, …), 1152 status rows across 8 suites (bionic, focal, jammy, noble, plucky, trusty, upstream, xenial): DNE 797, ignored 157, not-affected 124, released 74.	https://ubuntu.com/security/CVE-2025-38736

Affected software / configurations for CVE-2025-38736

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.15.11, < 6.16	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.16.2, < 6.16.4	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.12.43	cpe:2.3:o:linux:linux_kernel:6.12.43:::::::*
linux	linux_kernel	6.17	cpe:2.3:o:linux:linux_kernel:6.17:rc2::::::
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2025-38736

URL	Tags
https://git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5c	Patch
https://git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1c	Patch
https://git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953e	Patch
https://git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341	Patch
https://git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49	Patch
https://git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html

cvelogic Threat Intelligence