In the Linux kernel, the following vulnerability has been resolved:
vt: discard stale unicode buffer on alt screen exit after resize
When enteraltscreen() saves vcunilines into vcsavedunilines and sets vcunilines to NULL, a subsequent console resize via vcdoresize() skips reallocating the unicode buffer because vcunilines is NULL. However, vcsavedunilines still points to the old buffer allocated for the original dimensions.
When leavealtscreen() later restores vcsavedunilines, the buffer dimensions no longer match vcrows/vccols. Any operation that iterates over the unicode buffer using the current dimensions (e.g. csiJ clearing the screen) will access memory out of bounds, causing a kernel oops:
BUG: unable to handle page fault for address: 0x0000002000000020 RIP: 0010:csi_J+0x133/0x2d0
The faulting address 0x0000002000000020 is two adjacent u32 space characters (0x20) interpreted as a pointer, read from the row data area past the end of the 25-entry pointer array in a buffer allocated for 80x25 but accessed with 240x67 dimensions.
Fix this by checking whether the console dimensions changed while in the alternate screen. If they did, free the stale saved buffer instead of restoring it. The unicode screen will be lazily rebuilt via vcuniscrcheck() when next needed.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31742.json"
}