{"id":"CVE-2025-39967","summary":"fbcon: fix integer overflow in fbcon_do_set_font","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n   multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n   overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation.","modified":"2026-03-20T12:43:07.925464Z","published":"2025-10-15T07:55:51.554Z","related":["MGASA-2025-0309","MGASA-2025-0310","SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4111-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4301-1","SUSE-SU-2025:4320-1","SUSE-SU-2025:4515-1","SUSE-SU-2026:0029-1","SUSE-SU-2026:0033-1","openSUSE-SU-2025:20091-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39967.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39967.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39967"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"96e41fc29e8af5c5085fb8a79cab8d0d00bab86c"},{"fixed":"994bdc2d23c79087fbf7dcd9544454e8ebcef877"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"39b3cffb8cf3111738ea993e2757ab382253d86a"},{"fixed":"9c8ec14075c5317edd6b242f1be8167aa1e4e333"},{"fixed":"b8a6e85328aeb9881531dbe89bcd2637a06c3c95"},{"fixed":"a6eb9f423b3db000aaedf83367b8539f6b72dcfc"},{"fixed":"adac90bb1aaf45ca66f9db8ac100be16750ace78"},{"fixed":"4a4bac869560f943edbe3c2b032062f6673b13d3"},{"fixed":"c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"},{"fixed":"1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"ae021a904ac82d9fc81c25329d3c465c5a7d5686"},{"last_affected":"451bffa366f2cc0e5314807cb847f31c0226efed"},{"last_affected":"2c455e9c5865861f5ce09c5f596909495ed7657c"},{"last_affected":"72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e"},{"last_affected":"34cf1aff169dc6dedad8d79da7bf1b4de2773dbc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39967.json"}}],"schema_version":"1.7.5"}