HIGH
vt Unicode Buffer OOB
CVE-2026-31742
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: vt: discard stale unicode buffer on alt screen exit after resize When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize() skips reallocating the unicode buffer because vc_uni_lines is NULL. However, vc_saved_uni_lines still points to the old buffer allocated for the original dimensions. When leave_alt_screen() later restores vc_saved_uni_lines, the buffer dimensions no longer match vc_rows/vc_cols. Any operation that iterates over the unicode buffer using the current dimensions (e.g. csi_J clearing the screen) will access memory out of bounds, causing a kernel oops: BUG: unable to handle page fault for address: 0x0000002000000020 RIP: 0010:csi_J+0x133/0x2d0 The faulting address 0x0000002000000020 is two adjacent u32 space characters (0x20) interpreted as a pointer, read from the row data area past the end of the 25-entry pointer array in a buffer allocated for 80x25 but accessed with 240x67 dimensions. Fix this by checking whether the console dimensions changed while in the alternate screen. If they did, free the stale saved buffer instead of restoring it. The unicode screen will be lazily rebuilt via vc_uniscr_check() when next needed.
02KernelScan AI Analysis
Risk summary
An attacker with local access to a terminal can trigger out-of-bounds memory reads by manipulating alternate screen operations and console resizing. This could lead to kernel crashes (denial of service) or potentially information disclosure through reading adjacent kernel memory. The vulnerability requires local access and the ability to interact with terminal applications.
Vulnerability analysis
Summary: The virtual terminal (VT) subsystem contains an out-of-bounds read vulnerability in the unicode buffer handling during alternate screen operations. When a console is resized while in alternate screen mode, the saved unicode buffer retains the old dimensions but is later accessed using the new dimensions, leading to memory corruption.
Root Cause: The leave_alt_screen() function blindly restores a saved unicode buffer (vc_saved_uni_lines) without checking if the console dimensions changed while in alternate screen mode. When enter_alt_screen() saves the buffer and sets vc_uni_lines to NULL, subsequent resize operations via vc_do_resize() skip reallocating the unicode buffer. However, the saved buffer still has the old dimensions, creating a mismatch when restored.
Attack Surface: This vulnerability affects local console operations and requires access to terminal functionality. It can be triggered through terminal emulator operations that use alternate screen mode combined with console resizing, such as running applications like vim, less, or other full-screen terminal applications while resizing the terminal window.
Fix Mechanism: The patch adds a dimension check in leave_alt_screen() to detect if the console was resized while in alternate screen mode. If the saved buffer dimensions don't match the current console dimensions (vc_rows/vc_cols), the stale buffer is freed using vc_uniscr_free() instead of being restored. The unicode screen is then lazily rebuilt when needed via vc_uniscr_check().
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.22 | 891d790fdb5c |
| 6.19 | 6.19.12 | 428fdf55301e |