Description
In the Linux kernel, the following vulnerability has been resolved:

fbcon: Set fb_display[i]->mode to NULL when the mode is released

Recently, we discovered the following issue through syzkaller:

BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
Read of size 4 at addr ff11000001b3c69c by task syz.xxx
...
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_address_description.constprop.0+0x2c/0x390
print_report+0xb9/0x280
kasan_report+0xb8/0xf0
fb_mode_is_equal+0x285/0x2f0
fbcon_mode_deleted+0x129/0x180
fb_set_var+0xe7f/0x11d0
do_fb_ioctl+0x6a0/0x750
fb_ioctl+0xe0/0x140
__x64_sys_ioctl+0x193/0x210
do_syscall_64+0x5f/0x9c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Based on experimentation and analysis, during framebuffer unregistration,
only the memory of fb_info->modelist is freed, without setting the
corresponding fb_display[i]->mode to NULL for the freed modes. This leads
to UAF issues during subsequent accesses. Here's an example of reproduction
steps:
1. With /dev/fb0 already registered in the system, load a kernel module
to register a new device /dev/fb1;
2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
3. Switch console from fb to VGA (to allow normal rmmod of the ko);
4. Unload the kernel module, at this point fb1's modelist is freed, leaving
a wild pointer in fb_display[];
5. Trigger the bug via system calls through fb0 attempting to delete a mode
from fb0.

Add a check in do_unregister_framebuffer(): if the mode to be freed exists
in fb_display[], set the corresponding mode pointer to NULL.
Published: 2025-12-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free in the framebuffer subsystem can lead to kernel memory corruption or arbitrary code execution
Action: Patch Immediately
AI Analysis

Impact

A use‑after‑free occurs when a framebuffer device is unregistered; the mode pointer in the global fb_display array is not cleared, so subsequent ioctl calls dereference a freed pointer. This can allow a local attacker that can access the /dev/fb* devices to read or write arbitrary kernel memory, potentially leading to privilege escalation or denial of service. The weakness is a classic Use‑After‑Free (CWE‑416).

Affected Systems

The flaw is present in all versions of the Linux kernel that include the framebuffer subsystem, as no specific version bounds are listed. It affects the Linux kernel product from the Linux Vendor.

Risk and Exploitability

The CVSS score of 7.0 indicates medium severity, and the EPSS score of less than 1 % suggests a very low likelihood of exploitation today. The vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploitation has been observed. However, the exploit requires local privileged interaction with framebuffer device drivers and careful timing (module unload while the console is still using the device). If an attacker can satisfy these conditions, they could corrupt kernel memory and potentially gain root access.

Generated by OpenCVE AI on April 20, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the framebuffer unregistration fix, which clears mode pointers during bus removal.
  • As a temporary measure, avoid unloading framebuffer modules while the console is attached to that device; switch the console to VGA before removing the module, or restrict module unload operations.
  • Limit access to framebuffer ioctl interfaces by applying appropriate file‑system permissions or using capabilities to prevent untrusted users from issuing FBIOPUT_CON2FBMAP and other privileged calls.

Generated by OpenCVE AI on April 20, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4436-1 linux-6.1 security update
Ubuntu USN Ubuntu USN USN-8029-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8030-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8029-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8048-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8029-3 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8095-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8095-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8100-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8095-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8095-4 Linux kernel (AWS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8125-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8095-5 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
History

Mon, 20 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 08 Dec 2025 01:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.
Title fbcon: Set fb_display[i]->mode to NULL when the mode is released
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:09.204Z

Reserved: 2025-04-16T07:20:57.186Z

Link: CVE-2025-40323

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-12-08T01:16:05.067

Modified: 2026-04-18T09:16:12.603

Link: CVE-2025-40323

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-08T00:00:00Z

Links: CVE-2025-40323 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses