CVE-2025-38685

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38685
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38685.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38685
Downstream
Related
Published
2025-09-04T15:32:39.856Z
Modified
2025-11-27T19:34:44.625169Z
Summary
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix vmalloc out-of-bounds write in fast_imageblit

This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible.

As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vcdoresize() and continues further. At this point console and new frame buffer are mapped and sets display vars. Despite failure still it continue to proceed updating the screen at later stages where vcdata is related to previous frame buffer and frame buffer info and display vars are mapped to new frame buffer and eventully leading to out-of-bounds write in fastimageblit(). This bheviour is excepted only when fgconsole is equal to requested console which is a visible console and updates screen with invalid struct references in fbconputcs().

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2025/38xxx/CVE-2025-38685.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
078e62bffca4b7e72e8f3550eb063ab981c36c7a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
4c4d7ddaf1d43780b106bedc692679f965dc5a3a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
27b118aebdd84161c8ff5ce49d9d536f2af10754
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
ed9b8e5016230868c8d813d9179523f729fec8c6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
56701bf9eeb63219e378cb7fcbd066ea4eaeeb50
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
cfec17721265e72e50cc69c6004fe3475cd38df2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
af0db3c1f898144846d4c172531a199bb3ca375d

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.190
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.149
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.103
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.43
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.11
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.16.2