Fixed
Created: Jul 3, 2025
Updated: Jul 10, 2025
Resolved Date: Jul 10, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/mdiobus: Fix potential out-of-bounds clause 45 read/write access[EOL][EOL]When using publicly available tools like 'mdio-tools' to read/write data[EOL]from/to network interface and its PHY via C45 (clause 45) mdiobus,[EOL]there is no verification of parameters passed to the ioctl and[EOL]it accepts any mdio address.[EOL]Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,[EOL]but it is possible to pass higher value than that via ioctl.[EOL]While read/write operation should generally fail in this case,[EOL]mdiobus provides stats array, where wrong address may allow out-of-bounds[EOL]read/write.[EOL][EOL]Fix that by adding address verification before C45 read/write operation.[EOL]While this excludes this access from any statistics, it improves security of[EOL]read/write operation.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38110 (https://nvd.nist.gov/vuln/detail/CVE-2025-38110)
