HIGH
fbdev UFX IOCTL Validation
CVE-2026-23236
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel.
02KernelScan AI Analysis
Risk summary
Local users with access to the UFX framebuffer device can exploit improper input validation in the UFX_IOCTL_REPORT_DAMAGE ioctl to potentially corrupt kernel memory or cause system crashes. This affects systems with SMSC UFX6000/7000 USB display adapters where users have device access permissions.
Vulnerability analysis
The vulnerability stems from the UFX_IOCTL_REPORT_DAMAGE ioctl handler directly dereferencing a userspace pointer without proper validation or copying. The original code cast the ioctl argument directly to a struct dloarea pointer and accessed its fields, allowing userspace to control kernel memory access patterns. The fix introduces proper copy_from_user() validation and uses the __free(kfree) attribute for automatic cleanup, ensuring userspace data is safely copied to kernel memory before processing. Attack surface is local-only, requiring access to the UFX framebuffer device file.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.251 | 061cfeb560aa |
| 5.15 | 5.15.201 | 6167af934f95 |
| 6.1 | 6.1.164 | a0321e6e58fa |
| 6.12 | 6.12.74 | 52917e265aa5 |
| 6.18 | 6.18.13 | 1c008ad0f0d1 |
| 6.19 | 6.19.3 | f1e91bd4efea |
| 6.6 | 6.6.127 | 0634e8d65099 |
| mainline | 7.0 | 120adae7b42f |