A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
DeviceFocusEvent messages and XIQueryPointer responses contain a bit for each logically pressed button on the pointing device. Buttons can be arbitrarily mapped to values from 1 to 255; however, X.Org Server allocated memory based solely on the actual number of buttons on a specific device. When an attacker used a mapping value greater than the actual number of buttons, a write occurred outside the allocated heap area (CWE-787 — out-of-bounds write), leading to memory corruption.
An attacker can cause memory corruption in the X.Org Server process, which may consequently enable arbitrary code execution (RCE) with server privileges or cause a denial of service.
Apply patches available from the vendor according to references. For Red Hat Enterprise Linux, the following errata are available: RHSA-2024:0320, RHSA-2024:0557, RHSA-2024:0558, RHSA-2024:0597, and RHSA-2024:0607. It is recommended to implement patches as quickly as possible and restrict network access to the X.Org server to trusted hosts.
X.Org X Server, X.Org Xwayland, Fedora, Red Hat Enterprise Linux Desktop, and Red Hat Enterprise Linux Server — specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian
OSDebian10.0Fedora Project Fedora
OSFedoraproject39Red Hat Enterprise Linux Desktop
OSRedhat7.0Red Hat Enterprise Linux Server
OSRedhat7.0Red Hat Enterprise Linux Workstation
OSRedhat7.0X.org X Server
APPX.Org< 21.1.11X.org Xwayland
APPX.Org< 23.2.4
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki