CVE-2024-21885 — Heap-based Buffer Overflow in Xorg-server

CWE-122 — Heap-based Buffer Overflow CWE-120 — Classic Buffer Overflow12 documents9 sources

Severity

7.8HIGHNVD

EPSS

0.3%

top 50.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org Xorg-server X.org Xwayland

Timeline

PublishedFeb 28

Latest updateMar 13

Description

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianx.org/xorg-server< 2:1.20.11-1+deb11u11+3

▶Debianx.org/xwayland< 2:23.2.4-1+1

🔴Vulnerability Details

OSV

CVE-2024-21885: A flaw was found in X↗2024-02-28

▶

GHSA

GHSA-2x93-8973-5mgq: A flaw was found in X↗2024-02-28

▶

CVEList

Xorg-x11-server: heap buffer overflow in xisenddevicehierarchyevent↗2024-02-28

▶

📋Vendor Advisories

Ubuntu

X.Org X Server vulnerabilities↗2024-03-13

▶

Microsoft

Xorg-x11-server: heap buffer overflow in xisenddevicehierarchyevent↗2024-02-13

▶

Ubuntu

X.Org X Server vulnerabilities↗2024-01-22

▶

Red Hat

xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent↗2024-01-16

▶

BSD

OpenBSD 7.3 Errata 025: SECURITY FIX↗2024-01-16

▶