CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-38213: vgacon: Add check for vc_origin address range in vgacon_scroll()

Description

In the Linux kernel, the following vulnerability has been resolved:

vgacon: Add check for vc_origin address range in vgacon_scroll()

Our in-house Syzkaller reported the following BUG (twice), which we
believed was the same issue with [1]:

==================================================================
BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740
Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393
...
Call Trace:

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364
print_report+0xba/0x280 mm/kasan/report.c:475
kasan_report+0xa9/0xe0 mm/kasan/report.c:588
vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740
vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline]
vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690
vfs_write+0x219/0x960 fs/read_write.c:584
ksys_write+0x12e/0x260 fs/read_write.c:639
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
...

Allocated by task 5614:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:201 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc+0x62/0x140 mm/slab_common.c:...

Classification

CVE ID: CVE-2025-38213

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.52% (scored less or equal to compared to others)

EPSS Date: 2025-07-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38213
https://git.kernel.org/stable/c/e44532b1c358bfd2c4c7dc28fd01d47fef09ac70
https://git.kernel.org/stable/c/843de5fbfe277e30fb333a7fa033b684c37829ac
https://git.kernel.org/stable/c/bf9c07864765864b968e59c7b72db91130d621ca
https://git.kernel.org/stable/c/9928ba7de39793a1c7c77b8b9e6ecf6209110311
https://git.kernel.org/stable/c/2f4040a5855a59e48296f1b5a7cc0fceea3195b1
https://git.kernel.org/stable/c/f20fd54af4e1077fdbca4dd98375a4d1d941e50d
https://git.kernel.org/stable/c/499b77fa1416a85fee106e60b240e912bca10cb8
https://git.kernel.org/stable/c/864f9963ec6b4b76d104d595ba28110b87158003

Timeline