HIGH
fbcon FontBuffer OOB
CVE-2026-46191
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a heap buffer overflow in the framebuffer console font rotation code by printing characters with high character codes to a rotated console after font buffer reallocation fails. This leads to kernel memory corruption and potential system crashes on systems with framebuffer console support.
Vulnerability analysis
The vulnerability occurs in fbcon_rotate_font() when memory reallocation fails during console rotation. The original code keeps the old, undersized font buffer instead of clearing it, creating a size mismatch between the expected rotated font size and the actual buffer size. When the putcs implementations attempt to write rotated font data for high character codes, they overflow the undersized heap buffer, corrupting adjacent kernel memory. The fix clears the font buffer and resets size tracking when reallocation fails, ensuring putcs implementations return early rather than accessing invalid memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | ab6c34b9829d |
| 6.18 | 6.18.32 | 7105d9f1387d |
| 6.6 | 6.6.140 | 594973a2e549 |
| 7.0 | 7.0.7 | b44cc78ff46b |
| mainline | 7.1-rc1 | e4ef723d8975 |