CVE-2022-46344 — Out-of-bounds Read in X.org Foundation Xorg-x11-server

CWE-125 — Out-of-bounds Read10 documents8 sources

Severity

8.8HIGHNVD

EPSS

1.0%

top 23.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org Xorg-server X.org Xwayland THE X.org Foundation Xorg-x11-server +3 more

Timeline

PublishedDec 14

Latest updateFeb 16

Description

A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5the_x.org_foundation/xorg-x11-serverxorg-x11-server-1.20.4

▶Debianx.org/xorg-server< 2:1.20.11-1+deb11u4+3

▶NVDx.org/x_server1.20.4

▶Debianx.org/xwayland< 2:22.1.6-1+2

Also affects: Debian Linux 11.0, Fedora 36, 37

🔴Vulnerability Details

GHSA

GHSA-jjf8-5xjq-fq8j: A vulnerability was found in X↗2022-12-14

▶

CVEList

CVE-2022-46344: A vulnerability was found in X↗2022-12-14

▶

OSV

CVE-2022-46344: A vulnerability was found in X↗2022-12-14

▶

📋Vendor Advisories

Ubuntu

X.Org X Server vulnerabilities↗2023-02-16

▶

Red Hat

xorg-x11-server: XIChangeProperty out-of-bounds access↗2022-12-14

▶

BSD

OpenBSD 7.2 Errata 009: SECURITY FIX↗2022-12-14

▶

Ubuntu

X.Org X Server vulnerabilities↗2022-12-14

▶

BSD

OpenBSD 7.1 Errata 015: SECURITY FIX↗2022-12-14

▶