drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Summary
| CVE | CVE-2025-68296 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-12-16 16:16:08 UTC |
| Updated | 2026-06-19 13:16:24 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing. |
Risk And Classification
EPSS: 0.001660000 probability, percentile 0.061500000 (date 2026-06-19)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 711ebd961190def4c69ea24b2f0be75e995af24a git | Not specified |
| CNA | Linux | Linux | affected 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 482330f8261b4bea8146d9bd69c1199e5dfcbb5c git | Not specified |
| CNA | Linux | Linux | affected 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a git | Not specified |
| CNA | Linux | Linux | affected 6a9ee8af344e3bd7dbd61e67037096cdf7f83289 eb76d0f5553575599561010f24c277cc5b31d003 git | Not specified |
| CNA | Linux | Linux | affected 2.6.34 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.34 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.143 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.61 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17.11 6.17.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/711ebd961190def4c69ea24b2f0be75e995af24a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.