ghsa-33v2-gr7f-4wmr
Vulnerability from github
Published
2025-06-28 09:30
Modified
2025-06-28 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ch9200: fix uninitialised access during mii_nway_restart

In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read():

    if (err == size) {
            memcpy(data, buf, size);
    }

If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read():

    return (buff[0] | buff[1] << 8);

The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff".

To fix this we should check the return value of control_read() and return early on error.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38086"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-28T08:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii-\u003emdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n        if (err == size) {\n                memcpy(data, buf, size);\n        }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n        return (buff[0] | buff[1] \u003c\u003c 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error.",
  "id": "GHSA-33v2-gr7f-4wmr",
  "modified": "2025-06-28T09:30:23Z",
  "published": "2025-06-28T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38086"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.