Acknowledged
Created: Sep 4, 2025
Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]fbdev: Fix vmalloc out-of-bounds write in fast_imageblit[EOL][EOL]This issue triggers when a userspace program does an ioctl[EOL]FBIOPUT_CON2FBMAP by passing console number and frame buffer number.[EOL]Ideally this maps console to frame buffer and updates the screen if[EOL]console is visible.[EOL][EOL]As part of mapping it has to do resize of console according to frame[EOL]buffer info. if this resize fails and returns from vc_do_resize() and[EOL]continues further. At this point console and new frame buffer are mapped[EOL]and sets display vars. Despite failure still it continue to proceed[EOL]updating the screen at later stages where vc_data is related to previous[EOL]frame buffer and frame buffer info and display vars are mapped to new[EOL]frame buffer and eventully leading to out-of-bounds write in[EOL]fast_imageblit(). This bheviour is excepted only when fg_console is[EOL]equal to requested console which is a visible console and updates screen[EOL]with invalid struct references in fbcon_putcs().
CREATE(Triage):(User=admin) [CVE-2025-38685 (https://nvd.nist.gov/vuln/detail/CVE-2025-38685)
