CVE-2025-68296

{"id": "CVE-2025-68296", "cveTags": [], "metrics": {}, "affected": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "affectedData": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289", "lessThan": "711ebd961190def4c69ea24b2f0be75e995af24a", "versionType": "git"}, {"status": "affected", "version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289", "lessThan": "482330f8261b4bea8146d9bd69c1199e5dfcbb5c", "versionType": "git"}, {"status": "affected", "version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289", "lessThan": "05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a", "versionType": "git"}, {"status": "affected", "version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289", "lessThan": "eb76d0f5553575599561010f24c277cc5b31d003", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/drm_fb_helper.c", "drivers/video/fbdev/core/fbcon.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.34"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.34", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.143", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.61", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.17.11", "versionType": "semver", "lessThanOrEqual": "6.17.*"}, {"status": "unaffected", "version": "6.18", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/drm_fb_helper.c", "drivers/video/fbdev/core/fbcon.c"], "defaultStatus": "affected"}]}], "published": "2025-12-16T16:16:08.540", "references": [{"url": "https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/711ebd961190def4c69ea24b2f0be75e995af24a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Deferred", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup\n\nProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOB\naccess in fbcon_remap_all(). Without holding the console lock the call\nraces with switching outputs.\n\nVGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon\nfunction uses struct fb_info.node, which is set by register_framebuffer().\nAs the fb-helper code currently sets up VGA switcheroo before registering\nthe framebuffer, the value of node is -1 and therefore not a legal value.\nFor example, fbcon uses the value within set_con2fb_map() [1] as an index\ninto an array.\n\nMoving vga_switcheroo_client_fb_set() after register_framebuffer() can\nresult in VGA switching that does not switch fbcon correctly.\n\nTherefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),\nwhich already holds the console lock. Fbdev calls fbcon_fb_registered()\nfrom within register_framebuffer(). Serializes the helper with VGA\nswitcheroo's call to fbcon_remap_all().\n\nAlthough vga_switcheroo_client_fb_set() takes an instance of struct fb_info\nas parameter, it really only needs the contained fbcon state. Moving the\ncall to fbcon initialization is therefore cleaner than before. Only amdgpu,\ni915, nouveau and radeon support vga_switcheroo. For all other drivers,\nthis change does nothing."}], "lastModified": "2026-06-19T13:16:24.050", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}