CVE-2024-0408

CWE-15812 documents9 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 93.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tigervnc Tigervnc X.org X Server X.org Xwayland +9 more

Timeline

PublishedJan 18

Latest updateMar 13

Description

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

▶NVDx.org/x_server< 21.1.11

▶Debianxorg-server< 2:1.20.11-1+deb11u11+3

▶NVDredhat/enterprise_linux_server7.0

▶NVDx.org/xwayland< 23.2.4

▶NVDtigervnc/tigervnc< 1.13.1

Also affects: Fedora 39, Enterprise Linux 6.0, 7.0, 8.0, 9.0

🔴Vulnerability Details

CVEList

Xorg-x11-server: selinux unlabeled glx pbuffer↗2024-01-18

▶

OSV

CVE-2024-0408: A flaw was found in the X↗2024-01-18

▶

GHSA

GHSA-rcj8-jx65-7c4r: A flaw was found in the X↗2024-01-18

▶

📋Vendor Advisories

Ubuntu

X.Org X Server vulnerabilities↗2024-03-13

▶

Ubuntu

X.Org X Server vulnerabilities↗2024-01-22

▶

Red Hat

xorg-x11-server: SELinux unlabeled GLX PBuffer↗2024-01-16

▶

BSD

OpenBSD 7.3 Errata 025: SECURITY FIX↗2024-01-16

▶

Ubuntu

X.Org X Server vulnerabilities↗2024-01-16

▶