CVE-2025-71196 Overview
A boundary condition error vulnerability has been discovered in the Linux kernel's STM32 USBPHYC (USB PHY Controller) driver. The vulnerability exists in the probe() function where an off-by-one error occurs during array index validation. When the index variable equals usbphyc->nphys, it accesses one element beyond the bounds of the usbphyc->phys[] array, potentially leading to memory corruption or system instability.
Critical Impact
An off-by-one array access vulnerability in the Linux kernel's STM32 USBPHYC driver could allow out-of-bounds memory access, potentially causing kernel crashes or memory corruption on affected embedded systems.
Affected Products
- Linux kernel with STM32 USBPHYC driver enabled
- STM32-based embedded systems utilizing the USB PHY controller
- Devices with device tree configurations specifying PHY index values
Discovery Timeline
- 2026-02-04 - CVE CVE-2025-71196 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-71196
Vulnerability Analysis
This vulnerability is classified as an Out-of-Bounds Read/Write issue caused by improper boundary checking in the STM32 USBPHYC driver's probe function. The flaw resides in how the driver validates the index variable before using it to access the usbphyc->phys[] array.
The index value is sourced from the device tree configuration, which while generally trusted, should still be properly validated. The original code used a greater-than (>) comparison when checking if the index exceeds the array bounds. However, since array indexing is zero-based, when index equals usbphyc->nphys, it actually points one element past the end of the array. The fix changes the comparison from > to >= to properly catch this boundary condition.
Root Cause
The root cause is an improper boundary check using > instead of >= when validating array index access. In C arrays with nphys elements, valid indices range from 0 to nphys-1. The original comparison index > usbphyc->nphys incorrectly allows index == usbphyc->nphys to pass validation, which is one element out of bounds.
Attack Vector
The attack vector for this vulnerability is limited due to the nature of the flaw:
The index value comes from the device tree, which is typically a trusted source controlled during system configuration. Exploitation would require either:
- Malicious modification of the device tree on a compromised system
- A misconfigured device tree with an incorrect PHY index value
- Combining this flaw with another vulnerability that allows device tree manipulation
While the likelihood of exploitation is low due to the trust model of device tree data, the fix is important for maintaining kernel code quality and preventing potential cascading issues in embedded systems where STM32 USB PHY functionality is critical.
Detection Methods for CVE-2025-71196
Indicators of Compromise
- Unexpected kernel oops or panics related to the stm32-usbphyc driver during system boot
- Memory corruption symptoms in systems using STM32 USB PHY controllers
- Abnormal behavior during USB device enumeration on STM32 platforms
Detection Strategies
- Review kernel logs for array bounds violations or memory access errors in the USBPHYC driver context
- Audit device tree configurations for PHY index values that may exceed expected bounds
- Monitor for kernel crashes during the driver probe phase on STM32-based systems
Monitoring Recommendations
- Enable kernel memory debugging options such as KASAN (Kernel Address Sanitizer) to detect out-of-bounds accesses
- Implement logging for driver initialization failures on embedded STM32 platforms
- Review system boot logs for any anomalies during USB PHY controller initialization
How to Mitigate CVE-2025-71196
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review device tree configurations to ensure PHY index values are within valid ranges
- Monitor affected embedded systems for unusual behavior during USB operations
Patch Information
The vulnerability has been resolved through multiple kernel commits that change the boundary comparison from > to >=. The fix ensures proper array bounds validation by rejecting index values equal to usbphyc->nphys.
Official kernel patches are available:
- Kernel Git Commit 76b870f
- Kernel Git Commit 7c27eaf
- Kernel Git Commit b91c9f6
- Kernel Git Commit cabd25b
Workarounds
- Validate device tree configurations to ensure all PHY index values are less than the total number of PHYs
- Consider disabling the STM32 USBPHYC driver if USB PHY functionality is not required
- Apply kernel patches from stable branches as soon as they are available for your distribution
# Verify current kernel version and check for available updates
uname -r
# Check device tree for PHY index configurations
dtc -I fs /sys/firmware/devicetree/base | grep -A5 "usbphyc"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
