{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-26798","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.179Z","datePublished":"2024-04-04T08:20:27.195Z","dateUpdated":"2026-02-06T16:30:52.928Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-02-06T16:30:52.928Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n  BUG: unable to handle page fault for address: fffffffffffffff8\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n  Oops: 0000 [#1] PREEMPT SMP KASAN\n  CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n  Call Trace:\n   <TASK>\n   con_font_get drivers/tty/vt/vt.c:4558 [inline]\n   con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n   vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n   vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n   tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n   vfs_ioctl fs/ioctl.c:51 [inline]\n  ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/video/fbdev/core/fbcon.c"],"versions":[{"version":"868749a7456dc48e93887a8474194e2ee6d6c21f","lessThan":"ae68f57df3335679653868fafccd8c88ef84ae98","status":"affected","versionType":"git"},{"version":"ebd6f886aa2447fcfcdce5450c9e1028e1d681bb","lessThan":"20a4b5214f7bee13c897477168c77bbf79683c3d","status":"affected","versionType":"git"},{"version":"a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24","lessThan":"2f91a96b892fab2f2543b4a55740c5bee36b1a6b","status":"affected","versionType":"git"},{"version":"a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24","lessThan":"73a6bd68a1342f3a44cac9dffad81ad6a003e520","status":"affected","versionType":"git"},{"version":"a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24","lessThan":"a2c881413dcc5d801bdc9535e51270cc88cb9cd8","status":"affected","versionType":"git"},{"version":"a5a923038d70d2d4a86cb4e3f32625a5ee6e7e24","lessThan":"00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f","status":"affected","versionType":"git"},{"version":"f08ccb792d3eaf1dc62d8cbf6a30d6522329f660","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/video/fbdev/core/fbcon.c"],"versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","status":"unaffected","versionType":"semver"},{"version":"5.15.151","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.81","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.21","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.9","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.64","versionEndExcluding":"5.15.151"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.7.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ae68f57df3335679653868fafccd8c88ef84ae98"},{"url":"https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d"},{"url":"https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b"},{"url":"https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520"},{"url":"https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8"},{"url":"https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f"}],"title":"fbcon: always restore the old font data in fbcon_do_set_font()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26798","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-08T20:53:12.971429Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:48:30.291Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:13.539Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f","tags":["x_transferred"]}]}]}}