CVE-2023-3161: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the Framebuffer Console (fbcon) component of the Linux Kernel, identified as CVE-2023-3161. The vulnerability was disclosed on June 12, 2023, and affects Linux Kernel versions up to (excluding) 6.2. The issue occurs when providing font->width and font->height values greater than 32 to the fbconsetfont function, where the absence of proper checks leads to a shift-out-of-bounds condition (NVD).

The vulnerability stems from an incorrect calculation in the fbconsetfont function where blitx and blity are u32 variables, meaning the framebuffer console cannot support fonts larger than 32x32. The 32x32 case specifically involves shifting an unsigned int to properly set bit 31, and without proper checks, this results in undefined behavior. The issue was assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to undefined behavior and potential denial of service when exploited. The impact is limited to local attacks and primarily affects system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability was fixed in Linux Kernel 6.2-rc7 with a patch that implements proper checks for font dimension limits. The fix was committed to the mainline kernel repository and includes validation to prevent font dimensions larger than 32x32 (GitHub Commit, Red Hat Bugzilla).