PT-2024-1261 · X.Org+11 · X.Org Server+11
Robb Gatica
·
Published
2024-01-16
·
Updated
2025-08-04
·
CVE-2024-21885
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Vulnerability Report
Name of the Vulnerable Software and Affected Versions
- X.Org Server versions prior to 1.20.14-alt11
- X.Org Server versions prior to 2:1.20.11-1+deb11u11 (Debian bullseye)
- X.Org Server versions prior to 2:21.1.7-3+deb12u5 (Debian bookworm)
- X.Org xwayland versions prior to 23.1.1-alt4
- X.Org x11-server versions prior to 21.1.11-1.1 (openSUSE Tumbleweed)
Description
A heap-based buffer overflow vulnerability exists in the
XISendDeviceHierarchyEvent function of the X.Org server. This vulnerability can be triggered when processing new device IDs, potentially leading to a crash or remote code execution, particularly in SSH X11 forwarding environments.Recommendations
- Upgrade X.Org Server to version 1.20.14-alt11 or later.
- For Debian bullseye, upgrade X.Org Server to version 2:1.20.11-1+deb11u11 or later.
- For Debian bookworm, upgrade X.Org Server to version 2:21.1.7-3+deb12u5 or later.
- Upgrade X.Org xwayland to version 23.1.1-alt4 or later.
- For openSUSE Tumbleweed, upgrade X.Org x11-server to version 21.1.11-1.1 or later.
Fix
RCE
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
X.Org Server