CVE-2022-49737

CWE-4135 documents5 sources

Severity

7.7HIGH

EPSS

0.2%

top 57.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org X Server

Timeline

PublishedMar 16

Description

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:HExploitability: 1.8 | Impact: 5.3

Affected Packages2 packages

▶Debianxorg-server< 2:21.1.16-1.1+1

▶CVEListV5x.org/x_server20.11 — 21.1.16

🔴Vulnerability Details

CVEList

CVE-2022-49737: In X↗2025-03-16

▶

OSV

CVE-2022-49737: In X↗2025-03-16

▶

GHSA

GHSA-3f26-j6r7-9q8v: In X↗2025-03-16

▶

📋Vendor Advisories

Debian

CVE-2022-49737: xorg-server - In X.Org X server 20.11 through 21.1.16, when a client application uses easystro...↗2022

▶