Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: fbdev: A potential buffer overflow issue in doregisterframebuffer has been fixed. The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in the registeredfb array; 2. All array slots beco...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: drm/vc4: Do not check if plane-state-fb == state-fb Currently, when using non-blocking commits, the following kernel warnings can be observed: 110.908514 ------------ Cut here ------------ 110.908529 refcountt: Underflow; Use...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: Video: fbdev: sm712fb: Fixed a crash in smtcfbwrite When the sm712fb driver writes three bytes to the framebuffer, the driver crashes. Bug: Unable to handle a page fault for the address: ffffc90001ffffff RIP:...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: nvidiafb: Use strscpy to prevent buffer overflow Coverity reports a possible buffer overflow issue. However, given the ‘static’ scope of nvidiasetupi2cbus, it seems that this issue cannot occur after examining the...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fbdisplayi-mode to NULL when the mode is released. Recently, we discovered the following issue through syzkaller: BUG: KASAN: Slab-use-after-free in fbmodeisequal+0x285/0x2f0 A read of size 4 at address ff11000001b3c69...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fbcvthperiod In fbfindmodecvt, if mode-refresh happens to be 0x80000000, cvt.frefresh will become 0 when multiplied by 2 due to overflow. This value is then passed to fbcvthperiod, where...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: In the bitPutcs function, the bound-check glyph index was derived from the character value masked by 0xff or 0x1ff. This may lead to reading beyond the end of the built-in font array, exceeding the actual number o...

Astra Linux – Vulnerability found in Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: cleanup of FB if dpuformatpopulatelayout fails If dpuformatpopulatelayout fails, then FB is prepared, but not cleaned up. This results in the pincount being leaked from the GEM object, causing a crash during DRM file...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: video/aperture: Call sysfbdisable before removing PCI devices Call sysfbdisable from apertureremoveconflictingpcidevices before removing PCI devices. Without this call, simpledrm may still bind to simple-framebuffer devices after...

CVE-2026-52720

A heap buffer overflow vulnerability was found in GStreamer's librfb RFB/VNC client. The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a...

CVE-2026-52720 Gstreamer1-plugins-bad-free: gstreamer: heap buffer overflow via crafted vnc server rectangle in librfb

A heap buffer overflow vulnerability was found in GStreamer's librfb RFB/VNC client. The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a...

CVE-2026-52720

A heap buffer overflow vulnerability was found in GStreamer's librfb RFB/VNC client. The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a...

Amazon Linux 2 : libvncserver, --advisory ALAS2-2026-3331 (ALAS-2026-3331)

The version of libvncserver installed on the remote host is prior to 0.9.9-14. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3331 advisory. LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decod...

OESA-2026-2490 libvncserver security update

libvncserver is a set of programs using the RFB Remote Frame Buffer protocol. They are designed to "export" a frame buffer via net: you set up a server and can connect to it via VNC viewers. If the server supports WebSockets which LibVNCServer does, you can also connect using an in-browser VNC...

fbcon: Avoid OOB font access if console rotation fails

...

drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()

...

SUSE CVE-2026-46209

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drmgemfbinitwithfuncs drmgemfbinitwithfuncs computes sub-sampled plane dimensions using plain integer division: unsigned int width = modecmd-width / i ? info-hsub : 1;...

CVE-2026-46191

A flaw was found in the Linux kernel's framebuffer console fbcon component. When console rotation fails, the fbconrotatefont function may keep an old font buffer that is too small for the rotated font. A local user printing to the rotated console with a high character code can trigger an...

CVE-2026-46209

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drmgemfbinitwithfuncs drmgemfbinitwithfuncs computes sub-sampled plane dimensions using plain integer division: unsigned int width = modecmd-width / i ? info-hsub : 1;...

UBUNTU-CVE-2026-46191

In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbconrotatefont. The putcs implementations for the rotated buffer will return early in this case. S...