CVE-2025-40322

bitputcsaligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address.

This fixes a global out-of-bounds read reported by syzbot.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40322.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Fixed

a10cede006f9614b465cf25609a8753efbfd45cc

Fixed

0998a6cb232674408a03e8561dc15aa266b2f53b

Fixed

db5c9a162d2f42bcc842b76b3d935dcc050a0eec

Fixed

c12003bf91fdff381c55ef54fef3e961a5af2545

Fixed

9ba1a7802ca9a2590cef95b253e6526f4364477f

Fixed

901f44227072be60812fe8083e83e1533c04eed1

Fixed

efaf89a75a29b2d179bf4fe63ca62852e93ad620

Fixed

18c4ef4e765a798b47980555ed665d78b71aeadf

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40322.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.12

Fixed

5.4.302

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.247

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.197

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.159

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.117

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.58

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40322.json"