LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup

In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue is a race condition during framebuffer console setup. Under the affected graphics switching path, the kernel can use an invalid framebuffer node value, leading to out-of-bounds access. The source does not provide CVSS, confirmed impact, or attacker requirements.

Executive priority

Track and remediate through standard kernel patch management, with priority for Linux laptops, workstations, or graphics-heavy systems using hybrid graphics. No active exploitation is cited, but kernel out-of-bounds access warrants timely updates.

Technical view

The flaw involves drm, fbcon, and vga_switcheroo. vga_switcheroo_client_fb_set() could race output switching before register_framebuffer() sets fb_info.node, leaving node as -1. fbcon_remap_all() can then use that invalid value as an array index. The fix moves the call under fbcon_fb_registered(), protected by the console lock.

Likely exposure

Likely exposure is Linux systems running affected kernel versions with fbcon and VGA switcheroo paths active. The source says only amdgpu, i915, nouveau, and radeon support vga_switcheroo. Distro exposure depends on vendor kernel builds and backports.

Exploitation context

The provided bundle does not show KEV listing, active exploitation, public exploit status, or attacker prerequisites. Treat exploitation likelihood as unconfirmed. The issue appears tied to a kernel graphics-console race rather than a remotely reachable service.

Researcher notes

Key evidence is the kernel commit rationale: serialization under the console lock prevents fbcon_remap_all() from observing fb_info.node before registration. The bundle lacks CVSS, CWE mapping, proof of exploitability, and distribution-specific fixed package data.

Mitigation direction

  • Apply vendor-supported kernel updates containing the referenced stable fixes.
  • Prioritize systems using amdgpu, i915, nouveau, or radeon with hybrid graphics switching.
  • If no package is available, monitor Linux distribution and kernel vendor advisories.
  • Avoid deploying custom kernels lacking the referenced framebuffer console fix.

Validation and detection

  • Check running kernel versions against vendor advisories and fixed stable commits.
  • Confirm whether systems load amdgpu, i915, nouveau, or radeon graphics drivers.
  • Review kernel logs for fbcon, drm, vga_switcheroo, OOB, or panic indicators.
  • Validate patched systems through normal boot and console switching tests.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68296 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux6a9ee8af344e3bd7dbd61e67037096cdf7f83289, 6a9ee8af344e3bd7dbd61e67037096cdf7f83289, 6a9ee8af344e3bd7dbd61e67037096cdf7f83289, 6a9ee8af344e3bd7dbd61e67037096cdf7f83289unaffected
LinuxLinux2.6.34, 0, 6.6.143, 6.12.61, 6.17.11, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.