{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38086","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.981Z","datePublished":"2025-06-28T07:52:58.293Z","dateUpdated":"2026-05-11T21:20:59.045Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:20:59.045Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n        if (err == size) {\n                memcpy(data, buf, size);\n        }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n        return (buff[0] | buff[1] << 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/ch9200.c"],"versions":[{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"119766de4930ff40db9f36b960cb53b0c400e81b","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"33163c68d2e3061fa3935b5f0a1867958b1cdbd2","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"9da3e442714f7f4393ff01c265c4959c03e88c2f","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"9a350f30d65197354706b7759b5c89d6c267b1a9","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"6bd2569d0b2f918e9581f744df0263caf73ee76c","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"4da7fcc098218ff92b2e83a43f545c02f714cedd","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72","status":"affected","versionType":"git"},{"version":"4a476bd6d1d923922ec950ddc4c27b279f6901eb","lessThan":"9ad0452c0277b816a435433cca601304cfac7c21","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/ch9200.c"],"versions":[{"version":"4.3","status":"affected"},{"version":"0","lessThan":"4.3","status":"unaffected","versionType":"semver"},{"version":"5.4.295","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.4.295"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b"},{"url":"https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2"},{"url":"https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f"},{"url":"https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9"},{"url":"https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c"},{"url":"https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd"},{"url":"https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72"},{"url":"https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21"}],"title":"net: ch9200: fix uninitialised access during mii_nway_restart","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:33:56.167Z"}}]}}