{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: lib/fonts: fix undefined behavior in bit shift for get_default_font",
    "id" : "2402295",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402295"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1335",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nlib/fonts: fix undefined behavior in bit shift for get_default_font\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned.  The UBSAN warning calltrace like below:\nUBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20\nleft shift of 1 by 31 places cannot be represented in type 'int'\n<TASK>\ndump_stack_lvl+0x7d/0xa5\ndump_stack+0x15/0x1b\nubsan_epilogue+0xe/0x4e\n__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\nget_default_font+0x1c7/0x1f0\nfbcon_startup+0x347/0x3a0\ndo_take_over_console+0xce/0x270\ndo_fbcon_takeover+0xa1/0x170\ndo_fb_registered+0x2a8/0x340\nfbcon_fb_registered+0x47/0xe0\nregister_framebuffer+0x294/0x4a0\n__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\ndrm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\ndrm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\ndrm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\nbochs_pci_probe+0x6ca/0x772 [bochs]\nlocal_pci_probe+0x4d/0xb0\npci_device_probe+0x119/0x320\nreally_probe+0x181/0x550\n__driver_probe_device+0xc6/0x220\ndriver_probe_device+0x32/0x100\n__driver_attach+0x195/0x200\nbus_for_each_dev+0xbb/0x120\ndriver_attach+0x27/0x30\nbus_add_driver+0x22e/0x2f0\ndriver_register+0xa9/0x190\n__pci_register_driver+0x90/0xa0\nbochs_pci_driver_init+0x52/0x1000 [bochs]\ndo_one_initcall+0x76/0x430\ndo_init_module+0x61/0x28a\nload_module+0x1f82/0x2e50\n__do_sys_finit_module+0xf8/0x190\n__x64_sys_finit_module+0x23/0x30\ndo_syscall_64+0x58/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n</TASK>" ],
  "statement" : "The change fixes undefined behaviour from shifting a signed 32-bit value by a high bit position (UBSAN: shift-out-of-bounds) by switching the literal to an unsigned type.\nIn practice this triggered UBSAN warnings and can crash under some configurations during framebuffer/font selection (module init / fbcon startup).\nReproducing requires loading the affected code path (e.g. initializing the framebuffer or loading the driver that calls get_default_font).\nFor the CVSS the PR:H, because triggering the problematic code path requires privileged/local operations (module/driver or framebuffer initialization).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50511\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50511\nhttps://lore.kernel.org/linux-cve-announce/2025100701-CVE-2022-50511-5d8d@gregkh/T" ],
  "name" : "CVE-2022-50511",
  "csaw" : false
}