CVE-2026-31742

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vt: discard stale unicode buffer on alt screen exit after resize<br /> <br /> When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and<br /> sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize()<br /> skips reallocating the unicode buffer because vc_uni_lines is NULL.<br /> However, vc_saved_uni_lines still points to the old buffer allocated for<br /> the original dimensions.<br /> <br /> When leave_alt_screen() later restores vc_saved_uni_lines, the buffer<br /> dimensions no longer match vc_rows/vc_cols. Any operation that iterates<br /> over the unicode buffer using the current dimensions (e.g. csi_J clearing<br /> the screen) will access memory out of bounds, causing a kernel oops:<br /> <br /> BUG: unable to handle page fault for address: 0x0000002000000020<br /> RIP: 0010:csi_J+0x133/0x2d0<br /> <br /> The faulting address 0x0000002000000020 is two adjacent u32 space<br /> characters (0x20) interpreted as a pointer, read from the row data area<br /> past the end of the 25-entry pointer array in a buffer allocated for<br /> 80x25 but accessed with 240x67 dimensions.<br /> <br /> Fix this by checking whether the console dimensions changed while in the<br /> alternate screen. If they did, free the stale saved buffer instead of<br /> restoring it. The unicode screen will be lazily rebuilt via<br /> vc_uniscr_check() when next needed.