CVE-2025-38213
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38213
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38213.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38213
- Downstream
- Published
- 2025-07-04T14:15:29Z
- Modified
- 2025-07-10T17:12:19.944023Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
vgacon: Add check for vcorigin address range in vgaconscroll()
Our in-house Syzkaller reported the following BUG (twice), which we believed was the same issue with [1]:
================================================================== BUG: KASAN: slab-out-of-bounds in vcsscrreadw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x72/0xa0 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364 printreport+0xba/0x280 mm/kasan/report.c:475 kasanreport+0xa9/0xe0 mm/kasan/report.c:588 vcsscrreadw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 vcswritebufnoattr drivers/tty/vt/vcscreen.c:493 [inline] vcswrite+0x586/0x840 drivers/tty/vt/vcscreen.c:690 vfswrite+0x219/0x960 fs/readwrite.c:584 ksyswrite+0x12e/0x260 fs/readwrite.c:639 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x78/0xe2 ... </TASK>
Allocated by task 5614: kasansavestack+0x20/0x40 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 _kasankmalloc mm/kasan/common.c:374 [inline] _kasankmalloc+0x8f/0xa0 mm/kasan/common.c:383 kasankmalloc include/linux/kasan.h:201 [inline] _dokmallocnode mm/slabcommon.c:1007 [inline] _kmalloc+0x62/0x140 mm/slabcommon.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] vcdoresize+0x235/0xf40 drivers/tty/vt/vt.c:1193 vgaconadjustheight+0x2d4/0x350 drivers/video/console/vgacon.c:1007 vgaconfontset+0x1f7/0x240 drivers/video/console/vgacon.c:1031 confontset drivers/tty/vt/vt.c:4628 [inline] confontop+0x4da/0xa20 drivers/tty/vt/vt.c:4675 vtkioctl+0xa10/0xb30 drivers/tty/vt/vtioctl.c:474 vtioctl+0x14c/0x1870 drivers/tty/vt/vtioctl.c:752 ttyioctl+0x655/0x1510 drivers/tty/ttyio.c:2779 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:871 [inline] _sesysioctl+0x12d/0x190 fs/ioctl.c:857 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64after_hwframe+0x78/0xe2
Last potentially related work creation: kasansavestack+0x20/0x40 mm/kasan/common.c:45 _kasanrecordauxstack+0x94/0xa0 mm/kasan/generic.c:492 _callrcucommon.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlinkrelease+0x620/0xc20 net/netlink/afnetlink.c:802 _sockrelease+0xb5/0x270 net/socket.c:663 sockclose+0x1e/0x30 net/socket.c:1425 _fput+0x408/0xab0 fs/filetable.c:384 _fputsync+0x4c/0x60 fs/filetable.c:465 _dosysclose fs/open.c:1580 [inline] _sesysclose+0x68/0xd0 fs/open.c:1565 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64after_hwframe+0x78/0xe2
Second to last potentially related work creation: kasansavestack+0x20/0x40 mm/kasan/common.c:45 _kasanrecordauxstack+0x94/0xa0 mm/kasan/generic.c:492 _callrcucommon.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlinkrelease+0x620/0xc20 net/netlink/afnetlink.c:802 _sockrelease+0xb5/0x270 net/socket.c:663 sockclose+0x1e/0x30 net/socket.c:1425 _fput+0x408/0xab0 fs/filetable.c:384 taskworkrun+0x154/0x240 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:45 [inline] doexit+0x8e5/0x1320 kernel/exit.c:874 dogroupexit+0xcd/0x280 kernel/exit.c:1023 getsignal+0x1675/0x1850 kernel/signal.c:2905 archdosignalorrestart+0x80/0x3b0 arch/x86/kernel/signal.c:310 exittousermodeloop kernel/entry/common.c:111 [inline] exittousermodeprepare include/linux/entry-common.h:328 [inline] _syscallexittousermodework kernel/entry/common.c:207 [inline] syscallexittousermode+0x1b3/0x1e0 kernel/entry/common.c:218 dosyscall64+0x66/0x110 arch/x86/ent ---truncated---
- References
-
- https://git.kernel.org/stable/c/2f4040a5855a59e48296f1b5a7cc0fceea3195b1
- https://git.kernel.org/stable/c/499b77fa1416a85fee106e60b240e912bca10cb8
- https://git.kernel.org/stable/c/843de5fbfe277e30fb333a7fa033b684c37829ac
- https://git.kernel.org/stable/c/864f9963ec6b4b76d104d595ba28110b87158003
- https://git.kernel.org/stable/c/9928ba7de39793a1c7c77b8b9e6ecf6209110311
- https://git.kernel.org/stable/c/bf9c07864765864b968e59c7b72db91130d621ca
- https://git.kernel.org/stable/c/e44532b1c358bfd2c4c7dc28fd01d47fef09ac70
- https://git.kernel.org/stable/c/f20fd54af4e1077fdbca4dd98375a4d1d941e50d
- https://security-tracker.debian.org/tracker/CVE-2025-38213
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.35-1