CVE-2025-71094 Overview
CVE-2025-71094 is a Linux kernel vulnerability in the ASIX USB Ethernet driver. The driver reads the PHY (Physical Layer) address from a connected USB device via asix_read_phy_addr() without validating the returned value. A malicious or malfunctioning USB device can return an invalid PHY address greater than or equal to PHY_MAX_ADDR, triggering a warning in mdiobus_get_phy() at drivers/net/phy/mdio_bus.c:76. The condition produces kernel log output such as addr 207 out of range and can lead to availability impact on the host system. The flaw affects multiple Linux kernel branches up to and including 6.19 release candidates.
Critical Impact
A local attacker with the ability to attach a crafted USB device can trigger a kernel warning and disrupt network driver availability through unchecked PHY address values returned by the ASIX driver.
Affected Products
- Linux Kernel 5.14 (long-term stable branch)
- Linux Kernel 6.x stable releases prior to the patch commits
- Linux Kernel 6.19-rc1 through 6.19-rc8
Discovery Timeline
- 2026-01-13 - CVE-2025-71094 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71094
Vulnerability Analysis
The ASIX driver provides Linux kernel support for ASIX-based USB-to-Ethernet adapters. During device initialization, the driver queries the attached USB device for its MDIO (Management Data Input/Output) PHY address using asix_read_phy_addr(). The returned value is then passed to mdiobus_get_phy() to obtain a handle for the corresponding PHY device on the MDIO bus.
The driver did not verify that the returned address fell within the valid MDIO address range of 0 through PHY_MAX_ADDR - 1 (typically 0-31). When a device returns an out-of-range value such as 207, the kernel emits a WARNING from drivers/net/phy/mdio_bus.c:76 and the PHY lookup fails. On systems configured with panic_on_warn, this warning escalates to a full kernel panic, producing a denial-of-service condition.
Root Cause
The root cause is missing input validation [CWE-NVD-noinfo] on data sourced from an untrusted USB peripheral. The ASIX driver treated the PHY address field as a trusted value and used it directly as an MDIO bus index. A redundant check existed in ax88172a.c but was insufficient because not all driver paths exercised it.
Attack Vector
Exploitation requires local physical or logical access to attach a USB device to the target host. A malicious USB device that emulates an ASIX Ethernet adapter and returns a PHY address greater than or equal to PHY_MAX_ADDR triggers the condition. No user authentication is required beyond the ability to connect USB hardware, making attended kiosks, server bays, and BadUSB-style scenarios relevant threat models. The vulnerability does not affect confidentiality or integrity, but it impacts availability through kernel warnings or panics.
The upstream fix centralizes validation inside asix_read_phy_addr() and removes the now-redundant check in ax88172a.c. See the kernel commit a1e077a3f76eea0dc671ed6792e7d543946227e8 for the patch details.
Detection Methods for CVE-2025-71094
Indicators of Compromise
- Kernel log messages containing the string addr <N> out of range where N exceeds 31
- WARNING traces originating from drivers/net/phy/mdio_bus.c referencing mdiobus_get_phy()
- Failed network interface initialization for ASIX USB Ethernet adapters (asix, ax88172a, ax88179_178a modules)
- Unexpected kernel panics on systems running with panic_on_warn=1 shortly after USB device insertion
Detection Strategies
- Monitor dmesg and journalctl -k output for MDIO bus warnings and ASIX driver errors following USB hot-plug events
- Correlate USB device connection events (udev) with kernel warning traces to identify suspicious peripherals
- Audit installed kernel package versions against the patched stable releases referenced in the upstream commits
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized logging or SIEM platform for retention and alerting
- Enable USB device authorization policies (/sys/bus/usb/devices/*/authorized) and log all new USB attachments
- Track loaded kernel modules and flag instances where asix or ax88172a modules unload unexpectedly after device insertion
How to Mitigate CVE-2025-71094
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream ASIX driver fix
- Restrict physical access to USB ports on servers and unattended workstations
- Disable the asix and ax88172a kernel modules on systems that do not require ASIX USB Ethernet support using modprobe.d blacklist entries
Patch Information
The vulnerability is resolved by validating the PHY address inside asix_read_phy_addr() before passing it to mdiobus_get_phy(). Patches were merged across multiple stable branches. Reference commits include 38722e69ee64, 98a12c2547a4, a1e077a3f76e, bf8a0f3b787c, f5f4f30f3811, and fc96018f09f8. Upgrade to a kernel release that includes one of these commits.
Workarounds
- Blacklist the affected modules where ASIX adapters are not needed: add blacklist asix and blacklist ax88172a to /etc/modprobe.d/blacklist-asix.conf
- Enforce USBGuard or a comparable USB allowlist policy to block unknown vendor/product IDs from binding to network drivers
- Disable panic_on_warn on production systems to prevent the kernel warning from escalating to a full system crash while patches are being staged
# Configuration example
# Blacklist the affected ASIX modules until the kernel is patched
echo 'blacklist asix' | sudo tee /etc/modprobe.d/blacklist-asix.conf
echo 'blacklist ax88172a' | sudo tee -a /etc/modprobe.d/blacklist-asix.conf
sudo update-initramfs -u
# Verify currently running kernel and module status
uname -r
lsmod | grep -E 'asix|ax88172a'
# Review recent kernel warnings related to MDIO bus
sudo dmesg | grep -iE 'mdio|asix|out of range'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

