Integer Overflow Vulnerability in Linux Kernel Affecting Font Management
CVE-2025-39967
What is CVE-2025-39967?
This vulnerability in the Linux kernel occurs within the fbcon_do_set_font() function, where font size calculations are susceptible to integer overflows due to multiplication involving user-controlled parameters. Specifically, the formula CALC_FONTSZ(h, pitch, charcount) can yield unexpected results if the input values are not appropriately validated. Additionally, operations involving FONT_EXTRA_WORDS and size calculations may also trigger overflows. Such miscalculations can result in insufficient memory allocation, allowing for buffer overflows during the copying of font data. Kernel developers have mitigated this issue by implementing explicit overflow checks using the check_mul_overflow() and check_add_overflow() helper functions to ensure all relevant size calculations are securely validated prior to memory allocation.
Affected Version(s)
Linux 96e41fc29e8af5c5085fb8a79cab8d0d00bab86c < 994bdc2d23c79087fbf7dcd9544454e8ebcef877
Linux 39b3cffb8cf3111738ea993e2757ab382253d86a < 9c8ec14075c5317edd6b242f1be8167aa1e4e333
Linux 39b3cffb8cf3111738ea993e2757ab382253d86a