CVE-2025-38198

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38198
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38198.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38198
Downstream
Related
Published
2025-07-04T14:15:27Z
Modified
2025-08-12T21:01:39Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Make sure modelist not set on unregistered console

It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fbinfo *[32]' ... fbconinfofromconsole+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbconnewmodelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fbnewmodelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 storemodes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 devattr_store+0x55/0x80 drivers/base/core.c:2439

static struct fbinfo *fbconregisteredfb[FBMAX]; ... static signed char con2fbmap[MAXNRCONSOLES]; ... static struct fbinfo *fbconinfofromconsole(int console) ... return fbconregisteredfb[con2fbmap[console]];

If con2fbmap contains a -1 things go wrong here. Instead, return NULL, as callers of fbconinfofromconsole() are trying to compare against existing "info" pointers, so error handling should kick in correctly.

References

Affected packages