Skip to main content

Linux Kernel EUVDEUVD-2026-32818

| CVE-2026-46191 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8j9w-r5cf-prpv
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.3 MEDIUM

Local console access with low privilege (PR:L), but reliably triggering the failed reallocation race raises AC to H; OOB read yields C:H and kernel crash yields A:H, with no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 03:22 vuln.today
CVSS changed
Jun 11, 2026 - 03:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Avoid OOB font access if console rotation fails

Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.

Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.

v2:

  • fix typos in commit message

AnalysisAI

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Technical ContextAI

The vulnerability is in fbcon (framebuffer console), the kernel subsystem that renders text on framebuffer devices when no graphical session is active. CPE data identifies the Linux kernel (cpe:2.3:o:linux:linux_kernel) as the sole affected product. The root cause maps to CWE-125 (Out-of-bounds Read): when fbcon_rotate_font() attempts to reallocate the font glyph buffer to fit a rotated orientation, a failed allocation leaves the original, smaller buffer in place while the rotated putcs() routines index into it using character codes sized for the new orientation. High character codes therefore reference memory past the end of the original allocation. The fix clears the font buffer on allocation failure so the rotated putcs paths return early instead of dereferencing stale, undersized memory.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.1-rc1, or later mainline, applying your distribution's backported kernel update once available (Red Hat, SUSE, Debian, Ubuntu, etc. will ship advisories tied to these stable releases). The fix is the upstream patch series at git.kernel.org/stable/c/594973a2, 7105d9f1, ab6c34b9, b44cc78f, and e4ef723d. If you cannot patch immediately, the practical compensating control is to avoid using fbcon rotation: do not pass fbcon=rotate:1|2|3 on the kernel command line and avoid writing non-zero values to /sys/class/graphics/fbconN/rotate, which removes the vulnerable code path at the cost of losing rotated text-console display. Tightening access to /dev/tty* and font-configuration ioctls (KDFONTOP/PIO_FONTX) via CAP_SYS_TTY_CONFIG enforcement also reduces who can trigger font reallocation, though it may break legitimate console-font tooling.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy