VYPR
← All advisories
High severity7.8NVD Advisory· Published Jul 4, 2025· Updated May 12, 2026

CVE-2025-38198

CVE-2025-38198

Description

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Make sure modelist not set on unregistered console

It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 dev_attr_store+0x55/0x80 drivers/base/core.c:2439

static struct fb_info *fbcon_registered_fb[FB_MAX]; ... static signed char con2fb_map[MAX_NR_CONSOLES]; ... static struct fb_info *fbcon_info_from_console(int console) ... return fbcon_registered_fb[con2fb_map[console]];

If con2fb_map contains a -1 things go wrong here. Instead, return NULL, as callers of fbcon_info_from_console() are trying to compare against existing "info" pointers, so error handling should kick in correctly.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A flaw in fbcon's mode-setting allows an array-index-out-of-bounds via a negative console-to-fb mapping when the console is unregistered, risking memory corruption.

Vulnerability

CVE-2025-38198 is an out-of-bounds array access in the Linux kernel's framebuffer console (fbcon) subsystem. The root cause lies in fbcon_info_from_console(), which uses con2fb_map[console] as an index into the fbcon_registered_fb[] array. When con2fb_map[console] contains -1 (meaning the console is not bound to any framebuffer), the resulting index is -1, causing an array-index-out-of-bounds error [1][2]. This flaw was introduced because the function does not validate the mapping index before dereferencing the array.

Exploitation

An attacker can trigger this bug by writing to the store_modes sysfs node for a framebuffer device (/sys/class/graphics/fb*/modes). This operation calls fb_new_modelist()fbcon_new_modelist()fbcon_info_from_console() with a console index that maps to -1 [1]. The attacker needs local access to the system and the ability to write to sysfs (typically root or video group permissions). No special hardware or physical access is required.

Impact

Successful exploitation causes an UBSAN-detected out-of-bounds read/write, which can corrupt kernel memory. This may lead to a system crash (denial of service) or, in principle, be leveraged for privilege escalation if the out-of-bounds access is controlled to overwrite sensitive kernel structures [1]. The vulnerability is rated High with CVSS v3 7.8 due to its potential for local privilege escalation.

Mitigation

The fix is merged into the Linux kernel stable tree [2][3]. The patch modifies fbcon_info_from_console() to return NULL when con2fb_map[console] is -1, which forces callers to handle the error gracefully. Administrators should apply the latest kernel updates from their distribution or compile a patched kernel. No workaround is available other than restricting access to the sysfs interface.

References
  1. SSA-082556
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.