CVE-2026-46191
Analyzed Analyzed - Analysis Complete
fbcon OOB Font Access Due to Console Rotation Failure

Publication date: 2026-05-28

Last updated on: 2026-06-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-11
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46191
EUVD
EUVD-2026-32818
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.32 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.90 (exc)
linux linux_kernel From 2.6.15 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's framebuffer console (fbcon) component. Specifically, it involves the function fbcon_rotate_font(), which handles console rotation. When the console rotation fails during font buffer reallocation, the old font buffer, which is too small for the rotated font, is kept. This can cause an out-of-bounds (OOB) access when printing characters with high character codes, leading to a font buffer overflow.

The fix involves clearing the font buffer if the reallocation fails, so that the putcs implementations for the rotated buffer return early and avoid accessing invalid memory.

Impact Analysis

This vulnerability can lead to an out-of-bounds memory access in the framebuffer console when printing characters after a failed console rotation. Such memory corruption could potentially cause system instability, crashes, or unexpected behavior in the console display.

While the description does not specify exploitation details, out-of-bounds access vulnerabilities can sometimes be leveraged for privilege escalation or denial of service attacks depending on the context.

Mitigation Strategies

The vulnerability is resolved by updating the Linux kernel to a version where the fbcon_rotate_font() function properly clears the font buffer if reallocation during console rotation fails. Therefore, the immediate mitigation step is to apply the kernel update that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart