Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71094

CVE-2025-71094: Linux Kernel Privilege Escalation Flaw

CVE-2025-71094 is a privilege escalation vulnerability in the Linux Kernel ASIX USB driver that allows exploitation through invalid PHY addresses. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71094 Overview

CVE-2025-71094 is a Linux kernel vulnerability in the ASIX USB Ethernet driver. The driver reads the PHY (Physical Layer) address from a connected USB device via asix_read_phy_addr() without validating the returned value. A malicious or malfunctioning USB device can return an invalid PHY address greater than or equal to PHY_MAX_ADDR, triggering a warning in mdiobus_get_phy() at drivers/net/phy/mdio_bus.c:76. The condition produces kernel log output such as addr 207 out of range and can lead to availability impact on the host system. The flaw affects multiple Linux kernel branches up to and including 6.19 release candidates.

Critical Impact

A local attacker with the ability to attach a crafted USB device can trigger a kernel warning and disrupt network driver availability through unchecked PHY address values returned by the ASIX driver.

Affected Products

  • Linux Kernel 5.14 (long-term stable branch)
  • Linux Kernel 6.x stable releases prior to the patch commits
  • Linux Kernel 6.19-rc1 through 6.19-rc8

Discovery Timeline

  • 2026-01-13 - CVE-2025-71094 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71094

Vulnerability Analysis

The ASIX driver provides Linux kernel support for ASIX-based USB-to-Ethernet adapters. During device initialization, the driver queries the attached USB device for its MDIO (Management Data Input/Output) PHY address using asix_read_phy_addr(). The returned value is then passed to mdiobus_get_phy() to obtain a handle for the corresponding PHY device on the MDIO bus.

The driver did not verify that the returned address fell within the valid MDIO address range of 0 through PHY_MAX_ADDR - 1 (typically 0-31). When a device returns an out-of-range value such as 207, the kernel emits a WARNING from drivers/net/phy/mdio_bus.c:76 and the PHY lookup fails. On systems configured with panic_on_warn, this warning escalates to a full kernel panic, producing a denial-of-service condition.

Root Cause

The root cause is missing input validation [CWE-NVD-noinfo] on data sourced from an untrusted USB peripheral. The ASIX driver treated the PHY address field as a trusted value and used it directly as an MDIO bus index. A redundant check existed in ax88172a.c but was insufficient because not all driver paths exercised it.

Attack Vector

Exploitation requires local physical or logical access to attach a USB device to the target host. A malicious USB device that emulates an ASIX Ethernet adapter and returns a PHY address greater than or equal to PHY_MAX_ADDR triggers the condition. No user authentication is required beyond the ability to connect USB hardware, making attended kiosks, server bays, and BadUSB-style scenarios relevant threat models. The vulnerability does not affect confidentiality or integrity, but it impacts availability through kernel warnings or panics.

The upstream fix centralizes validation inside asix_read_phy_addr() and removes the now-redundant check in ax88172a.c. See the kernel commit a1e077a3f76eea0dc671ed6792e7d543946227e8 for the patch details.

Detection Methods for CVE-2025-71094

Indicators of Compromise

  • Kernel log messages containing the string addr <N> out of range where N exceeds 31
  • WARNING traces originating from drivers/net/phy/mdio_bus.c referencing mdiobus_get_phy()
  • Failed network interface initialization for ASIX USB Ethernet adapters (asix, ax88172a, ax88179_178a modules)
  • Unexpected kernel panics on systems running with panic_on_warn=1 shortly after USB device insertion

Detection Strategies

  • Monitor dmesg and journalctl -k output for MDIO bus warnings and ASIX driver errors following USB hot-plug events
  • Correlate USB device connection events (udev) with kernel warning traces to identify suspicious peripherals
  • Audit installed kernel package versions against the patched stable releases referenced in the upstream commits

Monitoring Recommendations

  • Forward kernel ring buffer logs to a centralized logging or SIEM platform for retention and alerting
  • Enable USB device authorization policies (/sys/bus/usb/devices/*/authorized) and log all new USB attachments
  • Track loaded kernel modules and flag instances where asix or ax88172a modules unload unexpectedly after device insertion

How to Mitigate CVE-2025-71094

Immediate Actions Required

  • Apply the latest stable kernel update from your Linux distribution that incorporates the upstream ASIX driver fix
  • Restrict physical access to USB ports on servers and unattended workstations
  • Disable the asix and ax88172a kernel modules on systems that do not require ASIX USB Ethernet support using modprobe.d blacklist entries

Patch Information

The vulnerability is resolved by validating the PHY address inside asix_read_phy_addr() before passing it to mdiobus_get_phy(). Patches were merged across multiple stable branches. Reference commits include 38722e69ee64, 98a12c2547a4, a1e077a3f76e, bf8a0f3b787c, f5f4f30f3811, and fc96018f09f8. Upgrade to a kernel release that includes one of these commits.

Workarounds

  • Blacklist the affected modules where ASIX adapters are not needed: add blacklist asix and blacklist ax88172a to /etc/modprobe.d/blacklist-asix.conf
  • Enforce USBGuard or a comparable USB allowlist policy to block unknown vendor/product IDs from binding to network drivers
  • Disable panic_on_warn on production systems to prevent the kernel warning from escalating to a full system crash while patches are being staged
bash
# Configuration example
# Blacklist the affected ASIX modules until the kernel is patched
echo 'blacklist asix' | sudo tee /etc/modprobe.d/blacklist-asix.conf
echo 'blacklist ax88172a' | sudo tee -a /etc/modprobe.d/blacklist-asix.conf
sudo update-initramfs -u

# Verify currently running kernel and module status
uname -r
lsmod | grep -E 'asix|ax88172a'

# Review recent kernel warnings related to MDIO bus
sudo dmesg | grep -iE 'mdio|asix|out of range'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.