PT-2025-11371 · X.Org+3 · X.Org Server+3

Lemonsqueeze

Published

2021-11-22

Updated

2025-08-12

CVE-2022-49737

CVSS v3.1

7.7

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Name of the Vulnerable Software and Affected Versions X.Org X server versions 20.11 through 21.1.16

Description The issue arises when a client application uses easystroke for mouse gestures, and the main thread modifies various data structures used by the input thread without acquiring a lock, resulting in a race condition. Specifically, AttachDevice in dix/devices.c does not acquire an input lock.

Recommendations For X.Org X server versions 20.11 through 21.1.16, consider disabling the use of easystroke for mouse gestures until a patch is available, as a temporary workaround to minimize the risk of exploitation. Restrict access to the AttachDevice function in dix/devices.c to prevent unauthorized modifications to data structures used by the input thread.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-413

Related Identifiers

BDU:2025-03961

CVE-2022-49737

OPENSUSE-SU-2025:14916-1

OPENSUSE-SU-2025_0984-1

SUSE-SU-2025:0984-1

SUSE-SU-2025_0984-1

Affected Products

Astra Linux

Debian

Suse

X.Org Server

PT-2025-11371 · X.Org+3 · X.Org Server+3

CVE-2022-49737

Weakness Enumeration

Related Identifiers

Affected Products

References · 28