CVE-2025-68296
Description
In the Linux kernel, the following vulnerability has been resolved:
drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's VGA switcheroo with fbcon setup could cause out-of-bounds access during switching, fixed by holding console lock.
Vulnerability
Description A race condition exists in the Linux kernel's VGA switcheroo driver when handling framebuffer console (fbcon) setup. The function vga_switcheroo_client_fb_set() was called without holding the console lock, leading to a potential out-of-bounds (OOB) access in fbcon_remap_all(). This occurs because fbcon_remap_all() uses struct fb_info.node, which is set to -1 when the framebuffer is not yet registered. The node value is used as an index into an array in set_con2fb_map(), causing the OOB access [1].
Exploitation
Prerequisites An attacker would need to trigger a VGA switcheroo client switch—a hardware switching event typically initiated through user interaction or system management. No authentication is required if the switch can be triggered locally, but the vulnerability is not remotely exploitable. The issue impacts systems using VGA switcheroo (e.g., laptops with dual graphics), affecting drivers amdgpu, i915, nouveau, and radeon [1].
Impact
A successful race condition could lead to memory corruption or system crash (denial of service). The out-of-bounds access may allow an attacker with local access to escalate privileges or cause undefined behavior. However, the patch description indicates the fix serializes access, preventing the race.
Mitigation
The fix moves vga_switcheroo_client_fb_set() into fbcon_fb_registered(), which already holds the console lock. This ensures proper serialization with VGA switcheroo's call to fbcon_remap_all(). The kernel stable commit (e.g., 482330f8261b) resolves the issue. Users should apply kernel updates containing this patch. No workaround is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.