Acknowledged
Created: Jul 3, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/mdiobus: Fix potential out-of-bounds read/write access[EOL][EOL]When using publicly available tools like 'mdio-tools' to read/write data[EOL]from/to network interface and its PHY via mdiobus, there is no verification of[EOL]parameters passed to the ioctl and it accepts any mdio address.[EOL]Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,[EOL]but it is possible to pass higher value than that via ioctl.[EOL]While read/write operation should generally fail in this case,[EOL]mdiobus provides stats array, where wrong address may allow out-of-bounds[EOL]read/write.[EOL][EOL]Fix that by adding address verification before read/write operation.[EOL]While this excludes this access from any statistics, it improves security of[EOL]read/write operation.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38111 (https://nvd.nist.gov/vuln/detail/CVE-2025-38111)
