CVE-2025-40304

Summary

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches.

Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 996bfaa7372d6718b6d860bdf78f6618e850c702affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f0982400648a3e00580253e0c48e991f34d2684caffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ebc0730b490c7f27340b1222e01dd106e820320daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 86df8ade88d290725554cefd03101ecd0fbd3752affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 15ba9acafb0517f8359ca30002c189a68ddbb939affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2d1359e11674ed4274934eac8a71877ae5ae7bbbaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3637d34b35b287ab830e66048841ace404382b67affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.4.302 <= 5.4.*unaffected
LinuxLinux5.10.247 <= 5.10.*unaffected
LinuxLinux5.15.197 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.117 <= 6.6.*unaffected
LinuxLinux6.12.58 <= 6.12.*unaffected
LinuxLinux6.17.8 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References