CVE-2025-71094 Overview
A vulnerability has been identified in the Linux kernel's ASIX USB network driver that fails to properly validate PHY (Physical Layer) addresses received from USB devices. The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(), but did not validate whether the returned address was within acceptable bounds before use. A malicious or faulty USB device can return an invalid address (>= PHY_MAX_ADDR), which triggers a warning in mdiobus_get_phy() with the message "addr 207 out of range."
Critical Impact
Malicious USB devices can trigger kernel warnings and potentially cause system instability by providing out-of-range PHY addresses to the ASIX network driver.
Affected Products
- Linux kernel with ASIX USB network driver (net/usb/asix)
- Systems using ASIX-based USB Ethernet adapters
- Linux kernel versions prior to the security patches
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71094 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71094
Vulnerability Analysis
This vulnerability represents an input validation issue in the Linux kernel's USB network subsystem. The ASIX driver, which provides support for ASIX Electronics USB-to-Ethernet adapters, retrieves PHY configuration data directly from the connected USB device. The asix_read_phy_addr() function was designed to read the PHY address from the device, but it lacked proper validation to ensure the returned value fell within the valid range defined by PHY_MAX_ADDR.
When an out-of-bounds PHY address is received and subsequently passed to mdiobus_get_phy(), the kernel triggers a warning in drivers/net/phy/mdio_bus.c at line 76. While this appears to be a relatively contained issue, improper handling of device-supplied data in kernel drivers can lead to unexpected behavior or system instability.
Root Cause
The root cause is insufficient input validation in the asix_read_phy_addr() function within the ASIX USB network driver. The function trusted data received from the USB device without verifying that the PHY address was within acceptable bounds (0 to PHY_MAX_ADDR - 1). This allowed a malicious or malfunctioning USB device to supply an arbitrary address value that would be passed to other kernel functions expecting a valid PHY address.
Attack Vector
The attack requires physical access to connect a malicious USB device to the target system. A specially crafted or modified USB Ethernet adapter identifying itself as an ASIX-compatible device could provide an invalid PHY address when queried by the driver. This could be accomplished through:
- A hardware implant designed to respond with malicious PHY configuration data
- A modified ASIX USB Ethernet adapter firmware
- A USB device emulator that presents as an ASIX adapter
The vulnerability is triggered when the Linux kernel attempts to initialize or communicate with the malicious device, at which point the invalid PHY address causes kernel warnings.
Detection Methods for CVE-2025-71094
Indicators of Compromise
- Kernel warning messages containing "addr [number] out of range" in dmesg logs
- Warnings originating from drivers/net/phy/mdio_bus.c line 76
- Unexpected USB Ethernet adapter behavior or initialization failures
- Repeated kernel warnings when connecting USB network devices
Detection Strategies
- Monitor kernel logs (dmesg) for PHY address out-of-range warnings
- Implement USB device allowlisting to control which devices can connect
- Use USB intrusion detection systems to identify unexpected device behavior
- Deploy endpoint monitoring solutions that track kernel warning events
Monitoring Recommendations
- Enable comprehensive kernel logging and forward to a centralized SIEM
- Configure alerts for USB-related kernel warnings in monitoring systems
- Monitor for unusual USB device connection patterns
- Implement SentinelOne Singularity platform for real-time kernel-level threat detection
How to Mitigate CVE-2025-71094
Immediate Actions Required
- Update the Linux kernel to a version containing the security patches
- Restrict physical USB port access on sensitive systems
- Implement USB device allowlisting policies where possible
- Monitor systems for kernel warnings related to network drivers
Patch Information
The Linux kernel maintainers have released patches to validate the PHY address in asix_read_phy_addr() before use, and removed a now-redundant check in ax88172a.c. Multiple commits addressing this vulnerability are available:
- Kernel Git Commit 38722e6
- Kernel Git Commit 98a12c2
- Kernel Git Commit a1e077a
- Kernel Git Commit bf8a0f3
- Kernel Git Commit f5f4f30
Workarounds
- Disable or blacklist the asix kernel module if ASIX USB Ethernet adapters are not required
- Physically secure USB ports to prevent unauthorized device connections
- Use USB port blockers on systems where USB Ethernet is not needed
- Implement strict USB device policies via udev rules to restrict device attachment
# Disable ASIX USB Ethernet driver if not needed
echo "blacklist asix" >> /etc/modprobe.d/blacklist-asix.conf
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
