CVE-2025-40304
Description
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, missing bounds checking in fbdev's bit_putcs can cause vmalloc out-of-bounds writes when rendering text near screen edges.
Vulnerability
CVE-2025-40304 is a memory safety vulnerability in the Linux kernel's framebuffer (fbdev) subsystem. The bit_putcs function, which renders text to the framebuffer, lacked proper bounds checking for text positioned near screen edges. When the Y position is off-screen, the function now returns early; when the X position is off-screen, it breaks from the rendering loop. Additionally, when clipping the image width to fit the screen, the character count (cnt) must be updated to match the clipped width. Without this update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters: the buffer is allocated for the clipped width, but cnt reflects the original larger count, leading to out-of-bounds writes past the allocated buffer [1][2][3].
Exploitation
An attacker would need the ability to trigger text rendering in the framebuffer console, which typically requires local access or the ability to influence console output (e.g., through a terminal or a crafted display operation). The vulnerability is triggered by rendering text at screen-edge coordinates, causing the rendering functions to write beyond the allocated framebuffer memory. No special privileges beyond the ability to write to the console are required, making it a low-complexity local attack.
Impact
Successful exploitation allows an attacker to write out-of-bounds to kernel memory allocated via vmalloc. vmalloc. This can corrupt adjacent kernel data structures, potentially leading to system crashes (denial of service) or, in more sophisticated scenarios, privilege escalation. The vulnerability is classified as a memory safety issue with high severity due to the potential for arbitrary write primitives.
Mitigation
The fix was committed to the Linux kernel stable tree in multiple commits [1][2][3]. Users should update their kernel to a version containing these patches. The vulnerability is not known to be exploited in the wild, but given its recent disclosure (December 2025). No workaround is available; patching is the recommended mitigation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8996bfaa7372df0982400648a1943b69e87b0ebc0730b490c86df8ade88d215ba9acafb052d1359e116743637d34b35b2Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939nvd
- git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1nvd
- git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbbnvd
- git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67nvd
- git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752nvd
- git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702nvd
- git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320dnvd
- git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684cnvd
News mentions
0No linked articles in our index yet.