CVE-2024-26798: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)
AI Analysis
Technical Summary
CVE-2024-26798 is a vulnerability in the Linux kernel's framebuffer console (fbcon) subsystem, specifically related to the function fbcon_do_set_font(). The issue arises from improper restoration of font data when the virtual console resize operation (vc_resize()) fails. A prior commit (a5a923038d70) attempted to address this by restoring old font data upon failure, but this fix only applied to user fonts and neglected the system/internal fonts. Consequently, during the first invocation of fbcon_do_set_font(), if vc_resize() fails, the old font data is not restored, leading to a use-after-free or invalid memory access scenario. This flaw can cause a kernel crash manifested as a page fault in kernel mode, as demonstrated by a proof-of-concept crash triggered by Syzkaller with fault injection. The crash trace shows a supervisor read access violation due to referencing an invalid memory address during font retrieval operations. The root cause is that the old font data pointer is not properly restored for system fonts, which should always be reverted to maintain kernel stability. The fix involves restoring the font data unconditionally, not just for user fonts, ensuring that the kernel does not access freed or invalid memory after a failed resize operation. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes and is relevant to systems using the framebuffer console interface for text display. Although exploitation requires triggering a failure in vc_resize(), which is not trivial, fault injection or fuzzing tools can facilitate this. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-26798 primarily involves potential denial-of-service (DoS) conditions due to kernel crashes on affected Linux systems. Systems relying on framebuffer console for local or remote text-based management, embedded devices, or specialized Linux distributions using fbcon could experience unexpected reboots or service interruptions. This could affect critical infrastructure, industrial control systems, or servers where uptime and stability are paramount. Although this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel panic can disrupt operations, cause data loss, or trigger failover mechanisms. Organizations with Linux-based appliances or legacy systems that have not applied recent kernel patches are at risk. The difficulty in triggering the fault reduces the likelihood of widespread exploitation, but targeted attacks or automated fuzzing in hostile environments could exploit this flaw to degrade service availability.
Mitigation Recommendations
To mitigate CVE-2024-26798, European organizations should: 1) Apply the latest Linux kernel patches that include the fix restoring font data unconditionally in fbcon_do_set_font(). This is the definitive solution to prevent the kernel crash. 2) For systems where immediate patching is not feasible, consider disabling framebuffer console usage or switching to alternative console drivers that do not rely on the vulnerable code path. 3) Implement kernel lockdown or integrity monitoring to detect abnormal kernel crashes and automate alerts for early incident response. 4) Employ fuzz testing and fault injection in controlled environments to proactively identify similar kernel vulnerabilities. 5) Maintain updated backups and failover strategies to minimize downtime in case of kernel panics. 6) Monitor security advisories from Linux distributions and vendors for backported fixes and apply them promptly. 7) Restrict access to systems that could trigger the vulnerability, limiting local user permissions and preventing untrusted code execution that might induce vc_resize() failures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-26798: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)
AI-Powered Analysis
Technical Analysis
CVE-2024-26798 is a vulnerability in the Linux kernel's framebuffer console (fbcon) subsystem, specifically related to the function fbcon_do_set_font(). The issue arises from improper restoration of font data when the virtual console resize operation (vc_resize()) fails. A prior commit (a5a923038d70) attempted to address this by restoring old font data upon failure, but this fix only applied to user fonts and neglected the system/internal fonts. Consequently, during the first invocation of fbcon_do_set_font(), if vc_resize() fails, the old font data is not restored, leading to a use-after-free or invalid memory access scenario. This flaw can cause a kernel crash manifested as a page fault in kernel mode, as demonstrated by a proof-of-concept crash triggered by Syzkaller with fault injection. The crash trace shows a supervisor read access violation due to referencing an invalid memory address during font retrieval operations. The root cause is that the old font data pointer is not properly restored for system fonts, which should always be reverted to maintain kernel stability. The fix involves restoring the font data unconditionally, not just for user fonts, ensuring that the kernel does not access freed or invalid memory after a failed resize operation. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes and is relevant to systems using the framebuffer console interface for text display. Although exploitation requires triggering a failure in vc_resize(), which is not trivial, fault injection or fuzzing tools can facilitate this. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-26798 primarily involves potential denial-of-service (DoS) conditions due to kernel crashes on affected Linux systems. Systems relying on framebuffer console for local or remote text-based management, embedded devices, or specialized Linux distributions using fbcon could experience unexpected reboots or service interruptions. This could affect critical infrastructure, industrial control systems, or servers where uptime and stability are paramount. Although this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel panic can disrupt operations, cause data loss, or trigger failover mechanisms. Organizations with Linux-based appliances or legacy systems that have not applied recent kernel patches are at risk. The difficulty in triggering the fault reduces the likelihood of widespread exploitation, but targeted attacks or automated fuzzing in hostile environments could exploit this flaw to degrade service availability.
Mitigation Recommendations
To mitigate CVE-2024-26798, European organizations should: 1) Apply the latest Linux kernel patches that include the fix restoring font data unconditionally in fbcon_do_set_font(). This is the definitive solution to prevent the kernel crash. 2) For systems where immediate patching is not feasible, consider disabling framebuffer console usage or switching to alternative console drivers that do not rely on the vulnerable code path. 3) Implement kernel lockdown or integrity monitoring to detect abnormal kernel crashes and automate alerts for early incident response. 4) Employ fuzz testing and fault injection in controlled environments to proactively identify similar kernel vulnerabilities. 5) Maintain updated backups and failover strategies to minimize downtime in case of kernel panics. 6) Monitor security advisories from Linux distributions and vendors for backported fixes and apply them promptly. 7) Restrict access to systems that could trigger the vulnerability, limiting local user permissions and preventing untrusted code execution that might induce vc_resize() failures.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.179Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdda94
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:39:30 AM
Last updated: 8/14/2025, 6:39:15 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.