Out-of-bounds Write Affecting xwayland package, versions <23.2.4-r0


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.4% (75th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE321-XWAYLAND-8489869
  • published6 Dec 2024
  • disclosed18 Jan 2024

Introduced: 18 Jan 2024

CVE-2023-6816  (opens in a new tab)
CWE-787  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 xwayland to version 23.2.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xwayland package and not the xwayland package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

CVSS Scores

version 3.1