CVE-2025-39967: In the Linux kernel, the following vulnerability has been resolved: fbcon: fix integer overflow in fbcon_do_set_font Fix integer overflow vulnerabil...

Description

In the Linux kernel, the following vulnerability has been resolved: fbcon: fix integer overflow in fbcon_do_set_font Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled font parameters. The vulnerabilities occur when: 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow. 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow 3. This results in smaller allocations than expected, leading to buffer overflows during font data copying. Add explicit overflow checking using check_mul_overflow() and check_add_overflow() kernel helpers to safety validate all size calculations before allocation.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.16%

5.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-190

Affected Software

Vendor	Product	Versions	Update
Linux	Linux Kernel	>= 4.4.235, < 4.5	—
Linux	Linux Kernel	>= 4.9.235, < 4.10	—
Linux	Linux Kernel	>= 4.14.196, < 4.15	—
Linux	Linux Kernel	>= 4.19.143, < 4.20	—
Linux	Linux Kernel	>= 5.4.62, < 5.4.300	—
Linux	Linux Kernel	>= 5.8.6, < 5.9	—
Linux	Linux Kernel	>= 5.9.1, < 5.10.245	—
Linux	Linux Kernel	>= 5.11, < 5.15.194	—
Linux	Linux Kernel	>= 5.16, < 6.1.155	—
Linux	Linux Kernel	>= 6.2, < 6.6.109	—
Linux	Linux Kernel	>= 6.7, < 6.12.50	—
Linux	Linux Kernel	>= 6.13, < 6.16.10	—
Linux	Linux Kernel	5.9	—
Linux	Linux Kernel	6.17	Rc1

References

Timeline

Published: Oct 15, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-39967?

In the Linux kernel, the following vulnerability has been resolved: fbcon: fix integer overflow in fbcon_do_set_font Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled font parameters. The vulnerabilities occur when: 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow. 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow 3. This results in smaller allocations than expected, leading to buffer overflows during font data copying. Add explicit overflow checking using check_mul_overflow() and check_add_overflow() kernel helpers to safety validate all size calculations before allocation.

How severe is CVE-2025-39967?

CVE-2025-39967 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.16% probability of exploitation in the next 30 days.

How do I fix CVE-2025-39967?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.