In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2025120823-CVE-2025-40322-6355@gregkh/T
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1661 https://access.redhat.com/errata/RHSA-2026:1661
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1662 https://access.redhat.com/errata/RHSA-2026:1662
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:1727 https://access.redhat.com/errata/RHSA-2026:1727
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:2282 https://access.redhat.com/errata/RHSA-2026:2282
The fix is faulty in that it expects vc->vc_font.charcount to be always set. See https://lkml.org/lkml/2026/1/5/540 for an explanation and a fix. The issue applies to RHEL v8.10 kernel at least, causing garbage text display (only white blocks) on fbcon virtual consoles as described by the author of the referenced lkml post.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:2352 https://access.redhat.com/errata/RHSA-2026:2352
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:2490 https://access.redhat.com/errata/RHSA-2026:2490
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:2535 https://access.redhat.com/errata/RHSA-2026:2535
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:2560 https://access.redhat.com/errata/RHSA-2026:2560
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:2573 https://access.redhat.com/errata/RHSA-2026:2573
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:2577 https://access.redhat.com/errata/RHSA-2026:2577
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:2583 https://access.redhat.com/errata/RHSA-2026:2583
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:2594 https://access.redhat.com/errata/RHSA-2026:2594
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2026:2664 https://access.redhat.com/errata/RHSA-2026:2664
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:2722 https://access.redhat.com/errata/RHSA-2026:2722
Can anyone share update on causing garbage text display (only white blocks) with Latest redhat kernels after this fix ? I couldn't find any CVE references showing the issue with Latest kernel ( 4.18.0-553.104.1 ) which gives white blocks instead of clear text while booting. Thanks.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:3360 https://access.redhat.com/errata/RHSA-2026:3360