Vulnerability CVE-2024-21885: Information

Description

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-21885
Published: Feb. 28, 2024
Modified: May 22, 2024
Error type identifier: CWE-122

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
xorg-serverp101.20.14-alt111.20.14-alt13ALT-PU-2024-1183-2338291Fixed
xorg-serverp91.20.8-alt121.20.8-alt12ALT-PU-2024-1181-2338294Fixed
xorg-serverc10f11.20.14-alt111.20.14-alt12ALT-PU-2024-4743-2343922Fixed
xorg-serverc9f21.20.8-alt121.20.8-alt12ALT-PU-2024-3261-2341756Fixed
xorg-xwaylandp1023.1.1-alt423.1.1-alt5ALT-PU-2024-1182-2338291Fixed
xorg-xwaylandc10f123.1.1-alt423.1.1-alt5ALT-PU-2024-4745-2343922Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
RHSA-2024:0320
    RHSA-2024:0557
      RHSA-2024:0558
        RHSA-2024:0597
          RHSA-2024:0607
            RHSA-2024:0614
              RHSA-2024:0617
                RHSA-2024:0621
                  RHSA-2024:0626
                    RHSA-2024:0629
                      https://access.redhat.com/security/cve/CVE-2024-21885
                        RHBZ#2256540
                          RHSA-2024:2169
                            RHSA-2024:2170
                              https://security.netapp.com/advisory/ntap-20240503-0004/
                                RHSA-2024:2995
                                  RHSA-2024:2996
                                    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                    Version: v24.5.1
                                    Back to top