CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
In the Linux kernel, the following vulnerability has been resolved:
drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
access in fbcon_remap_all(). Without holding the console lock the call
races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
function uses struct fb_info.node, which is set by register_framebuffer().
As the fb-helper code currently sets up VGA switcheroo before registering
the framebuffer, the value of node is -1 and therefore not a legal value.
For example, fbcon uses the value within set_con2fb_map() [1] as an index
into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
which already holds the console lock. Fbdev calls fbcon_fb_registered()
from within register_framebuffer(). Serializes the helper with VGA
switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
as parameter, it really only needs the contained fbcon state. Moving the
call to fbcon initialization is therefore cleaner than before. Only amdgpu,
i915, nouveau and radeon support vga_switcheroo. For all other drivers,
this change does nothing.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is a race condition during framebuffer console setup. Under the affected graphics switching path, the kernel can use an invalid framebuffer node value, leading to out-of-bounds access. The source does not provide CVSS, confirmed impact, or attacker requirements.
Executive priority
Track and remediate through standard kernel patch management, with priority for Linux laptops, workstations, or graphics-heavy systems using hybrid graphics. No active exploitation is cited, but kernel out-of-bounds access warrants timely updates.
Technical view
The flaw involves drm, fbcon, and vga_switcheroo. vga_switcheroo_client_fb_set() could race output switching before register_framebuffer() sets fb_info.node, leaving node as -1. fbcon_remap_all() can then use that invalid value as an array index. The fix moves the call under fbcon_fb_registered(), protected by the console lock.
Likely exposure
Likely exposure is Linux systems running affected kernel versions with fbcon and VGA switcheroo paths active. The source says only amdgpu, i915, nouveau, and radeon support vga_switcheroo. Distro exposure depends on vendor kernel builds and backports.
Exploitation context
The provided bundle does not show KEV listing, active exploitation, public exploit status, or attacker prerequisites. Treat exploitation likelihood as unconfirmed. The issue appears tied to a kernel graphics-console race rather than a remotely reachable service.
Researcher notes
Key evidence is the kernel commit rationale: serialization under the console lock prevents fbcon_remap_all() from observing fb_info.node before registration. The bundle lacks CVSS, CWE mapping, proof of exploitability, and distribution-specific fixed package data.
Mitigation direction
Apply vendor-supported kernel updates containing the referenced stable fixes.
Prioritize systems using amdgpu, i915, nouveau, or radeon with hybrid graphics switching.
If no package is available, monitor Linux distribution and kernel vendor advisories.
Avoid deploying custom kernels lacking the referenced framebuffer console fix.
Validation and detection
Check running kernel versions against vendor advisories and fixed stable commits.
Confirm whether systems load amdgpu, i915, nouveau, or radeon graphics drivers.
Review kernel logs for fbcon, drm, vga_switcheroo, OOB, or panic indicators.
Validate patched systems through normal boot and console switching tests.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68296 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 16, 2025, 15:06 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.