Home

Description

In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30

PUBLISHED Reserved 2025-12-30 | Published 2025-12-30 | Updated 2026-01-05 | Assigner Linux

Product status

Default status
unaffected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before 3df6f492f500a16c231f07ccc6f6ed1302caddf9
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before b79109d6470aaae7062998353e3a19449055829d
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before 953a4a352a0c185460ae1449e4c6e6658e55fdfc
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before 84ea44dc3e4ecb2632586238014bf6722aa5843b
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before f9d9d25ad1f0d060eaf297a2f7f03b5855a45561
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before 765566110eb0da3cf60198b0165ecceeaafa6444
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before fcfeaa570f7a5c2d5f4f14931909531ff18b7fde
affected

99f1fe189daf8e99a847e420567e49dd7ee2aae7 (git) before db4df8e9d79e7d37732c1a1b560958e8dadfefa1
affected

Default status
affected

2.6.28
affected

Any version before 2.6.28
unaffected

4.14.308 (semver)
unaffected

4.19.276 (semver)
unaffected

5.4.235 (semver)
unaffected

5.10.173 (semver)
unaffected

5.15.100 (semver)
unaffected

6.1.18 (semver)
unaffected

6.2.5 (semver)
unaffected

6.3 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/3df6f492f500a16c231f07ccc6f6ed1302caddf9

git.kernel.org/...c/b79109d6470aaae7062998353e3a19449055829d

git.kernel.org/...c/953a4a352a0c185460ae1449e4c6e6658e55fdfc

git.kernel.org/...c/84ea44dc3e4ecb2632586238014bf6722aa5843b

git.kernel.org/...c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561

git.kernel.org/...c/765566110eb0da3cf60198b0165ecceeaafa6444

git.kernel.org/...c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde

git.kernel.org/...c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1

cve.org (CVE-2023-54198)

nvd.nist.gov (CVE-2023-54198)

Download JSON