CVE-2026-46191 Overview
CVE-2026-46191 is a Linux kernel vulnerability in the framebuffer console (fbcon) subsystem. The flaw exists in the fbcon_rotate_font() function, which fails to clear the font buffer when memory reallocation during console rotation fails. The stale, undersized buffer remains active and can be accessed during subsequent rotated console output. Printing a character with a sufficiently high code value triggers an out-of-bounds read of the font buffer. The Linux kernel maintainers have released a fix across multiple stable branches.
Critical Impact
A failed reallocation during console rotation leaves an undersized font buffer in place, enabling out-of-bounds memory access when the rotated console renders high-value character codes.
Affected Products
- Linux kernel fbcon (framebuffer console) subsystem
- Multiple stable kernel branches receiving the backport fixes
- Systems using rotated framebuffer consoles
Discovery Timeline
- 2026-05-28 - CVE-2026-46191 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46191
Vulnerability Analysis
The vulnerability resides in fbcon_rotate_font() within the Linux kernel framebuffer console driver. When the console is rotated, the driver attempts to reallocate a font buffer sized to fit the rotated glyph data. If that reallocation fails, the current implementation retains the old buffer rather than clearing it. The old buffer is too small to hold rotated font data for the active character set.
Subsequent rendering paths use the stale buffer pointer without re-checking its size against the active font. When the rotated console renders a character whose code exceeds the capacity of the retained buffer, the putcs implementations index past the end of the allocation. This produces an out-of-bounds read from kernel memory adjacent to the font buffer.
The upstream fix clears the font buffer when reallocation fails. With a cleared buffer, the rotated putcs implementations take their early-return path and skip rendering instead of dereferencing an undersized allocation.
Root Cause
The root cause is improper error handling on an allocation failure path. fbcon_rotate_font() did not invalidate or clear the font buffer state when krealloc-style reallocation failed, leaving the rendering path with a buffer too small for the rotated font. This is an out-of-bounds read condition triggered by a missing cleanup step.
Attack Vector
Triggering the vulnerability requires the ability to rotate the framebuffer console and write characters with high code values to that console. Successful exploitation depends on inducing an allocation failure during rotation, which typically requires either a low-memory condition or local control over kernel allocators. The resulting out-of-bounds read can disclose adjacent kernel memory or cause instability in the framebuffer subsystem.
No public exploitation code or proof-of-concept has been published for this issue. The referenced kernel mailing list discussion provides an example reproducer scenario for the buffer overflow path.
Detection Methods for CVE-2026-46191
Indicators of Compromise
- Unexpected kernel oops or KASAN reports referencing fbcon_rotate_font or fbconputcs functions
- Kernel log entries showing allocation failures within the framebuffer console path followed by console rendering activity
- System instability or crashes occurring after console rotation events on systems with memory pressure
Detection Strategies
- Audit running kernel versions across the fleet and compare against the fixed commits referenced in the kernel.org stable tree
- Enable KASAN on test and pre-production systems to surface out-of-bounds reads in fbcon code paths
- Review kernel logs for fbcon warnings or allocation failures that correlate with console rotation operations
Monitoring Recommendations
- Monitor kernel ring buffer messages (dmesg) for framebuffer console errors and allocation failures
- Track kernel package versions through configuration management to identify hosts running pre-patch kernels
- Alert on unexpected kernel crashes that originate from graphics or console subsystems
How to Mitigate CVE-2026-46191
Immediate Actions Required
- Apply the upstream stable kernel patches that clear the font buffer when fbcon_rotate_font() reallocation fails
- Update to a distribution kernel that incorporates the fix commits referenced in the kernel.org stable tree
- Restrict local access on systems that use rotated framebuffer consoles until patches are deployed
Patch Information
The Linux kernel project has merged the fix across multiple stable branches. Refer to the following commits for the corrected fbcon_rotate_font() implementation: 594973a2e549, 7105d9f1387d, ab6c34b9829d, b44cc78ff46b, and e4ef723d8975.
Workarounds
- Avoid using console rotation on framebuffer consoles until the kernel is patched
- Reduce exposure to local users on affected systems where the framebuffer console is in use
- Disable the framebuffer console where it is not required, favoring alternative console drivers
# Verify running kernel version and check for fbcon usage
uname -r
grep -i fbcon /proc/consoles
dmesg | grep -i fbcon
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
