CVE-2025-68296

Linux Kernel - Out-of-Bounds Access via VGA Switcheroo Race Condition

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing.

Scores

EPSS 0.0018
EPSS Percentile 7.5%

Details

Status published
Products (14)
linux/Kernel 2.6.34 - 6.12.61linux
linux/Kernel 2.6.34 - 6.6.143linux
linux/Kernel 6.13.0 - 6.17.11linux
linux/Kernel 6.7.0 - 6.12.61linux
Linux/Linux < 2.6.34
Linux/Linux 2.6.34
Linux/Linux 6.12.61 - 6.12.*
Linux/Linux 6.17.11 - 6.17.*
Linux/Linux 6.18
Linux/Linux 6.6.143 - 6.6.*
... and 4 more
Published Dec 16, 2025
Tracked Since Feb 18, 2026