CVE-2025-39967
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: fix integer overflow in fbcon_do_set_font
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled font parameters.
The vulnerabilities occur when:
- CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow.
- FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
- This results in smaller allocations than expected, leading to buffer overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and check_add_overflow() kernel helpers to safety validate all size calculations before allocation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 96e41fc29e8af5c5085fb8a79cab8d0d00bab86c < 994bdc2d23c79087fbf7dcd9544454e8ebcef877 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < 9c8ec14075c5317edd6b242f1be8167aa1e4e333 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < b8a6e85328aeb9881531dbe89bcd2637a06c3c95 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < a6eb9f423b3db000aaedf83367b8539f6b72dcfc | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < adac90bb1aaf45ca66f9db8ac100be16750ace78 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < 4a4bac869560f943edbe3c2b032062f6673b13d3 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7 | affected |
| Linux | Linux | 39b3cffb8cf3111738ea993e2757ab382253d86a < 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe | affected |
| Linux | Linux | ae021a904ac82d9fc81c25329d3c465c5a7d5686 | affected |
| Linux | Linux | 451bffa366f2cc0e5314807cb847f31c0226efed | affected |
| Linux | Linux | 2c455e9c5865861f5ce09c5f596909495ed7657c | affected |
| Linux | Linux | 72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e | affected |
| Linux | Linux | 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc | affected |
| Linux | Linux | 5.4.62 < 5.4.300 | affected |
| Linux | Linux | 4.4.235 < 4.5 | affected |
| Linux | Linux | 4.9.235 < 4.10 | affected |
| Linux | Linux | 4.14.196 < 4.15 | affected |
| Linux | Linux | 4.19.143 < 4.20 | affected |
| Linux | Linux | 5.8.6 < 5.9 | affected |
| Linux | Linux | 5.9 | affected |
| Linux | Linux | 0 < 5.9 | unaffected |
| Linux | Linux | 5.4.300 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.245 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.194 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.155 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.109 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.50 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.10 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877
- https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333
- https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95
- https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc
- https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78
- https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3
- https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7
- https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.