{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39967","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.149Z","datePublished":"2025-10-15T07:55:51.554Z","dateUpdated":"2026-05-11T21:39:53.533Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:39:53.533Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n   multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n   overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/video/fbdev/core/fbcon.c"],"versions":[{"version":"96e41fc29e8af5c5085fb8a79cab8d0d00bab86c","lessThan":"994bdc2d23c79087fbf7dcd9544454e8ebcef877","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"9c8ec14075c5317edd6b242f1be8167aa1e4e333","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"b8a6e85328aeb9881531dbe89bcd2637a06c3c95","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"a6eb9f423b3db000aaedf83367b8539f6b72dcfc","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"adac90bb1aaf45ca66f9db8ac100be16750ace78","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"4a4bac869560f943edbe3c2b032062f6673b13d3","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7","status":"affected","versionType":"git"},{"version":"39b3cffb8cf3111738ea993e2757ab382253d86a","lessThan":"1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe","status":"affected","versionType":"git"},{"version":"ae021a904ac82d9fc81c25329d3c465c5a7d5686","status":"affected","versionType":"git"},{"version":"451bffa366f2cc0e5314807cb847f31c0226efed","status":"affected","versionType":"git"},{"version":"2c455e9c5865861f5ce09c5f596909495ed7657c","status":"affected","versionType":"git"},{"version":"72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e","status":"affected","versionType":"git"},{"version":"34cf1aff169dc6dedad8d79da7bf1b4de2773dbc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/video/fbdev/core/fbcon.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.4.300","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.245","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.194","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.155","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.109","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.50","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.10","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.62","versionEndExcluding":"5.4.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.194"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1.155"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.109"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.12.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.16.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"},{"url":"https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"},{"url":"https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"},{"url":"https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"},{"url":"https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"},{"url":"https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"},{"url":"https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"},{"url":"https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"}],"title":"fbcon: fix integer overflow in fbcon_do_set_font","x_generator":{"engine":"bippy-1.2.0"}}}}