HIGH 7.1

CVE-2026-46191: Linux fbcon Out-of-Bounds Memory Access via Console Rotation Failure

CVE-2026-46191 is a memory access vulnerability in the Linux kernel's framebuffer console (fbcon) subsystem. When the kernel attempts to rotate the console display and the memory reallocation fails, it continues using an undersized font buffer. If a user then prints characters with high numeric codes to the rotated console, the kernel will write beyond the buffer's boundaries, potentially corrupting kernel memory. An attacker with local system access can trigger this by printing specific characters after inducing a console rotation failure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in fbcon_rotate_font(), which manages font buffer reallocation during console rotation. On reallocation failure, the function retains the original buffer instead of clearing it. The rotated font requires more memory than the original, so the old buffer becomes too small. Subsequent putcs operations on the rotated console fail to detect this condition and proceed with out-of-bounds writes when processing characters with sufficiently high codes. The fix clears the font buffer on reallocation failure, causing putcs implementations to return early and prevent the out-of-bounds access. CWE-125 (Out-of-bounds Read) is the relevant weakness, though the practical risk here involves both read and write vulnerabilities in the buffer region.

Business impact

This vulnerability enables local privilege escalation and kernel memory corruption. An authenticated local attacker can crash the kernel (denial of service) or potentially execute arbitrary code in kernel context, depending on the specific memory layout and exploitation technique. On systems where unprivileged users interact with console output—such as multi-user servers, containerized environments, or systems running terminal-based applications—the risk is elevated. Compromised kernel memory can lead to system instability, data loss, or complete system compromise.

Affected systems

The Linux kernel is affected. All recent stable and development versions prior to the patch are vulnerable. The impact depends on kernel configuration, particularly whether fbcon (framebuffer console) is compiled and active. Systems using serial consoles or graphical display servers without fbcon enabled are not affected. Embedded systems, IoT devices, and older servers relying on framebuffer consoles are higher-risk targets.

Exploitability

Exploitation requires local system access (CWE vector reflects AV:L, Access Vector: Local). The attacker must be able to execute commands or interact with the console. No special privileges are initially required, though the effect of exploitation depends on kernel memory state. A successful trigger is deterministic once console rotation failure conditions are established, making this reasonably reliable to exploit in lab conditions. However, practical exploitation complexity varies with kernel mitigations (SMEP, SMAP, CFI) and address space layout randomization.

Remediation

Apply the Linux kernel patch that clears the font buffer when reallocation fails during console rotation. This fix ensures that fbcon gracefully handles the failure case and prevents subsequent out-of-bounds writes. Verify the patch against your kernel version and distribution; vendor advisories and kernel release notes will specify exact patched versions. As an interim mitigation, disable fbcon if not required (use nomodeset boot parameter or compile the kernel without CONFIG_FRAMEBUFFER_CONSOLE), or restrict console access via kernel lockdown or user permission policies.

Patch guidance

Identify your Linux kernel version (uname -r). Check your distribution's security advisory or kernel.org for the patched version incorporating this fix. The patch is typically backported to stable kernel branches (6.1.x, 6.6.x, 6.9.x, etc.). Apply security updates from your vendor (Red Hat, Canonical, SUSE, etc.) as soon as available. Test patches in a staging environment before production deployment, especially for kernel updates affecting display subsystems.

Detection guidance

Monitor for kernel log messages indicating fbcon reallocation failures (dmesg or syslog for fbcon-related errors). Implement kernel crash detection via kdump or similar mechanisms—out-of-bounds writes often trigger kernel oops or panic. Observe processes attempting repeated console rotation or high-code character output; this is unusual in normal workloads. On systems with SELinux or AppArmor, monitor for policy violations related to fbcon device access. Host-based intrusion detection can flag suspicious interactions with /dev/fb* or console devices.

Why prioritize this

This vulnerability merits high priority due to its CVSS 7.1 (HIGH) rating, local attack vector, and kernel-level impact. Any local attacker can trigger memory corruption, leading to denial of service or privilege escalation. Even though KEV status is not active, the risk of exploitation is significant in multi-user environments. Prioritize patching systems where fbcon is actively used and unprivileged users have console access.

Risk score, explained

CVSS 3.1 score of 7.1 reflects: AV:L (local access only), AC:L (low attack complexity—no special conditions required), PR:L (low privilege, any local user), UI:N (no user interaction), S:U (scoped to the affected system), C:H (high confidentiality impact via kernel memory read), I:N (no integrity compromise in the scoring model), and A:H (high availability impact via kernel crash or memory corruption). The score correctly penalizes the local-only vector but emphasizes the severity of kernel-level memory safety violations. Real-world impact is contextual and depends on system configuration and attacker capabilities.

Frequently asked questions

Do I need to patch if I use a graphical display server like X11 or Wayland instead of fbcon?

Likely no, if fbcon is not active. However, verify by checking kernel configuration (grep CONFIG_FRAMEBUFFER_CONSOLE /boot/config-*) or boot parameters. If CONFIG_FRAMEBUFFER_CONSOLE=n or nomodeset is in use, fbcon is disabled and this CVE does not apply. Always patch for defense in depth, but prioritize systems using framebuffer consoles.

Can this vulnerability be exploited remotely?

No. The CVSS vector AV:L (Local Access Vector) and the vulnerability's nature require direct local system access. An attacker must be able to execute commands or interact with the console. Remote exploitation is not possible without a separate local code execution vulnerability.

What is the difference between this issue and a typical buffer overflow?

This is specifically an out-of-bounds write in kernel memory triggered by a failed reallocation path that is normally unreachable. It's more subtle than a traditional overflow; the vulnerability emerges only when the reallocation fails and the code continues with an undersized buffer. Most systems never trigger this path, but when they do, it is dangerous.

Will a kernel update from my distribution fix this?

Yes, once your distribution releases a patched kernel. Check your vendor's security advisories (Red Hat, Canonical, SUSE, etc.). Roll out kernel security updates from your vendor as part of your standard patch cycle. Do not wait for a public announcement—subscribe to vendor mailing lists for timely notification.

This analysis is based on CVE-2026-46191 as published in official sources. SEC.co provides this intelligence for informational and risk-management purposes. Patch versions, vendor advisories, and distribution-specific details must be verified against your vendor's official security guidance before deployment. No exploit code or proof-of-concept is provided. Organizations should test patches in non-production environments before widespread rollout. Actual risk depends on system configuration, kernel version, and environment. Consult your systems team and official kernel documentation for definitive patch and deployment guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).