Unrated severityNVD Advisory· Published May 28, 2026
CVE-2026-46191
CVE-2026-46191
Description
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Avoid OOB font access if console rotation fails
Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.
Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.
v2: - fix typos in commit message
Affected products
2Patches
10594973a2e549fbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas ZimmermannMay 15, 2026Fixed in 6.6.140via kernel-cna
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index ec3c883400f7b8..4a06e71ae4434a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (ops->fd_size < d_cellsize * len) { + kfree(ops->fontbuffer); + ops->fontbuffer = NULL; + ops->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } ops->fd_size = d_cellsize * len; - kfree(ops->fontbuffer); ops->fontbuffer = dst; } -- cgit 1.3-korg
ab6c34b9829dfbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas ZimmermannMay 14, 2026Fixed in 6.12.90via kernel-cna
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index ec3c883400f7b8..4a06e71ae4434a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (ops->fd_size < d_cellsize * len) { + kfree(ops->fontbuffer); + ops->fontbuffer = NULL; + ops->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } ops->fd_size = d_cellsize * len; - kfree(ops->fontbuffer); ops->fontbuffer = dst; } -- cgit 1.3-korg
7105d9f1387dfbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas ZimmermannMay 14, 2026Fixed in 6.18.32via kernel-cna
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 380b2746451a1c..a3f507825eed8a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
b44cc78ff46bfbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas ZimmermannFixed in 7.0.7via kernel-cna
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 1562a8f20b4f59..5348f6c6f57c7c 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
e4ef723d8975fbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas ZimmermannFixed in 7.1-rc1via kernel-cna
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 1562a8f20b4f59..5348f6c6f57c7c 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
594973a2e549fbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas ZimmermannMay 15, 2026via nvd-ref
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index ec3c883400f7b8..4a06e71ae4434a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (ops->fd_size < d_cellsize * len) { + kfree(ops->fontbuffer); + ops->fontbuffer = NULL; + ops->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } ops->fd_size = d_cellsize * len; - kfree(ops->fontbuffer); ops->fontbuffer = dst; } -- cgit 1.3-korg
ab6c34b9829dfbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas ZimmermannMay 14, 2026via nvd-ref
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index ec3c883400f7b8..4a06e71ae4434a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (ops->fd_size < d_cellsize * len) { + kfree(ops->fontbuffer); + ops->fontbuffer = NULL; + ops->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } ops->fd_size = d_cellsize * len; - kfree(ops->fontbuffer); ops->fontbuffer = dst; } -- cgit 1.3-korg
7105d9f1387dfbcon: Avoid OOB font access if console rotation fails
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas ZimmermannMay 14, 2026via nvd-ref
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 380b2746451a1c..a3f507825eed8a 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
e4ef723d8975fbcon: Avoid OOB font access if console rotation fails
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 1562a8f20b4f59..5348f6c6f57c7c 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
b44cc78ff46bfbcon: Avoid OOB font access if console rotation fails
1 file changed · +4 −2
drivers/video/fbdev/core/fbcon_rotate.c+4 −2 modifieddiff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c index 1562a8f20b4f59..5348f6c6f57c7c 100644 --- a/drivers/video/fbdev/core/fbcon_rotate.c +++ b/drivers/video/fbdev/core/fbcon_rotate.c @@ -46,6 +46,10 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) info->fbops->fb_sync(info); if (par->fd_size < d_cellsize * len) { + kfree(par->fontbuffer); + par->fontbuffer = NULL; + par->fd_size = 0; + dst = kmalloc_array(len, d_cellsize, GFP_KERNEL); if (dst == NULL) { @@ -54,7 +58,6 @@ int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc) } par->fd_size = d_cellsize * len; - kfree(par->fontbuffer); par->fontbuffer = dst; } -- cgit 1.3-korg
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80nvd
- git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2fnvd
- git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27nvd
- git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263nvd
- git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842nvd
News mentions
0No linked articles in our index yet.