CVE-2025-40322

Vulnerability

Analysis

In the Linux kernel's framebuffer subsystem, the bitblit functions bit_putcs_aligned() and bit_putcs_unaligned() derived a glyph pointer from the character value after masking it by 0xff or 0x1ff. This mask did not account for the actual number of glyphs in the built-in font, allowing an out-of-bounds read past the end of the font array. The vulnerability is a global out-of-bounds read, reported by syzbot.

Exploitation

The issue can be triggered by rendering text that uses a character code exceeding the font's glyph count. No special privileges are required; any process that writes to the framebuffer console could potentially trigger the read. The attacker must be able to control the character data rendered, which may be possible from user space via console operations.

Impact

An attacker exploiting this bug could read kernel memory past the font array, potentially leaking sensitive information. The out-of-bounds read is limited to adjacent memory, but could be used to obtain kernel addresses or other data, aiding in further exploitation. The bug does not directly allow code execution, but the information leak can bypass KASLR.

Mitigation

The fix, applied in stable kernel commits [1][2][3], clamps the glyph index to the actual glyph count before computing the pointer address. Users should update their kernel to a version containing the fix, such as 6.12 or later stable releases. No workaround is available; a kernel upgrade is required.