CVE-2024-26798

MEDIUM
2024-04-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux Denial Of Service Memory Corruption Linux Kernel
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 04, 2024 - 09:15 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fbcon: always restore the old font data in fbcon_do_set_font()

Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize().

This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ...

So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)

AnalysisAI

A memory management flaw exists in the Linux kernel's framebuffer console (fbcon) font handling code where system fonts fail to be restored to their previous state when a vc_resize() operation fails during fbcon_do_set_font(). This oversight allows subsequent font_get() calls to access corrupted or uninitialized memory, leading to kernel crashes and denial of service. The vulnerability affects Linux kernel versions up to and including 6.8-rc6, requires local user privileges to trigger, and is difficult but reproducible with fault injection techniques as demonstrated by Syzkaller.

Technical ContextAI

The vulnerability resides in the Linux kernel's fbdev framebuffer subsystem, specifically in the fbcon.c driver responsible for console font management. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), manifesting as incomplete error handling in the fbcon_do_set_font() function. A prior patch (commit a5a923038d70) attempted to restore old font data only for user-supplied fonts upon vc_resize() failure, but neglected to handle system/internal fonts. When system fonts are loaded and vc_resize() fails, old_data is never restored, leaving dangling or invalid pointers in the font data structures. Subsequent calls to fbcon_get_font() then dereference these corrupted pointers, triggering page faults and kernel panics as shown in the reported stack trace (address: fffffffffffffff8).

RemediationAI

Apply the Linux kernel patch immediately by upgrading to a patched stable kernel version that includes one of the six referenced commits (00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f or equivalent backports). The fix modifies fbcon_do_set_font() to unconditionally restore font data for both user and system fonts upon vc_resize() failure, and adjusts subsequent conditional logic to rely on old_userfont status rather than old_data presence. For Red Hat systems, check RHSA advisories; for Ubuntu, check the ubuntu-security-notice mailing list and livepatch services. Until patching is possible, restrict local console and TTY access via PAM configuration or systemd-logind restrictions to limit which users can trigger font operations. Monitor kernel logs for page faults related to fbcon_get_font() and consider disabling framebuffer console entirely if graphics are not required, switching to serial console or basic VGA console instead.

Share

CVE-2024-26798 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy