Use After Free Affecting xwayland package, versions <22.1.8-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE320-XWAYLAND-7015307
- published 23 May 2024
- disclosed 27 Mar 2023
Introduced: 27 Mar 2023
CVE-2023-0494 Open this link in a new tabHow to fix?
Upgrade Alpine:3.20 xwayland to version 22.1.8-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream xwayland package and not the xwayland package as distributed by Alpine.
See How to fix? for Alpine:3.20 relevant fixed versions and status.
A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.