CVE-2022-50511

MEDIUM
2025-10-07 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Oct 07, 2025 - 16:15 nvd
MEDIUM 5.5

Tags

Linux Integer Overflow Denial Of Service Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: lib/fonts: fix undefined behavior in bit shift for get_default_font Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20 left shift of 1 by 31 places cannot be represented in type 'int' <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c get_default_font+0x1c7/0x1f0 fbcon_startup+0x347/0x3a0 do_take_over_console+0xce/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK>

Analysis

This vulnerability is an undefined behavior issue in the Linux kernel's font handling code where a signed 32-bit left shift by 31 bits violates C language semantics, detected by UBSAN (Undefined Behavior Sanitizer). The vulnerability affects multiple Linux kernel versions starting from 2.6.23 and can be triggered by local users with low privileges during framebuffer console initialization, leading to denial of service through undefined behavior exploitation. While the EPSS score is extremely low at 0.01% (percentile 3%), patches are available from the kernel vendor and the issue has been resolved in stable releases.

Technical Context

The vulnerability exists in lib/fonts/fonts.c in the get_default_font() function, where a signed integer (type 'int') undergoes a left bit shift operation by 31 positions. In C, shifting a signed value such that the result cannot be represented in the type's range constitutes undefined behavior. The affected code path is triggered during framebuffer console startup (fbcon_startup), which executes during display driver registration and initialization. The root cause falls under integer overflow and bit manipulation errors. Per CPE data, all Linux kernel versions are potentially affected, with explicit mention of versions from 2.6.23 through recent releases. The vulnerable code is activated when graphics drivers like DRM (Direct Rendering Manager) and framebuffer helpers initialize, particularly during PCI device probing of graphics hardware such as BOCHS or other display adapters.

Affected Products

The Linux kernel is affected across multiple versions, with explicit CPE references to cpe:2.3:o:linux:linux_kernel targeting all versions and specifically including versions 2.6.23 and later. The vulnerability is triggered during framebuffer console driver initialization, making it potentially present in any Linux system using DRM graphics drivers, framebuffer helpers (drm_kms_helper), or display adapters like BOCHS. The issue is present in the mainline kernel and affects stable kernel branches including 2.6.23-rc2 through rc5 releases and all subsequent versions until patched. Multiple stable kernel commits have been released to resolve this issue (identified in kernel.org stable tree references: 6fe888c4d2fb, 890d91b31f48, 9c14a85e1858, c9a9aa02f0fa, e039929e3681, e83b47580a07).

Remediation

Update the Linux kernel to a patched version incorporating one of the stable fixes referenced at kernel.org (commits 6fe888c4d2fb174408e4540bb2d5602b9f507f90 or later). The primary remediation is a simple code change converting the bit shift operand from 'int' to 'unsigned int' in lib/fonts/fonts.c line 139, which eliminates the undefined behavior. Linux distributions should apply this patch through their standard kernel update mechanisms—users should upgrade via their distribution's package manager (apt, yum, dnf, pacman, etc.) to the latest stable kernel version for their supported branch. No interim workarounds are necessary or available, as the vulnerability only manifests during normal driver initialization; however, disabling framebuffer console drivers (if not required for system operation) could prevent triggering the code path. Verify patched kernel versions via kernel.org stable releases or distribution security advisories.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2022-50511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy