ProHoster > Blog > internet news > X.Org Server 21.1.18 update with 6 vulnerabilities fixed

X.Org Server 21.1.18 update with 6 vulnerabilities fixed

Corrective releases of X.Org Server 21.1.17 and the DDX (Device-Dependent X) component xwayland 24.1.7 have been published, ensuring the launch of X.Org Server for organizing the execution of X11 applications in Wayland-based environments. The new version of X.Org Server fixes 6 vulnerabilities. The problems can potentially be exploited for privilege escalation on systems where the X server is executed with root rights, as well as for remote code execution in configurations where X11 session redirection using SSH is used for access.

Identified vulnerabilities:

  • CVE-2025-49176 - An integer overflow leading to memory corruption exists in the implementation of the Big Requests extension, which allows sending requests larger than 64 kilobytes. The vulnerability has been present since the release of X11R6.0 (1994).
  • CVE-2025-49179 - An integer overflow leading to memory corruption exists in the X Record extension implementation when sending too large a client count or range. The vulnerability has been present since X11R6.1 (1996).
  • CVE-2025-49180 is an integer overflow leading to memory corruption in the implementation of the RandR extension. The vulnerability appears since release 1.13 RC1 (2012).
  • CVE-2025-49178 - Possibility of creating a situation leading to blocking requests from other clients. The vulnerability manifests itself since the release of Xorg 1.10.0
  • CVE-2025-49175 - Out-of-bounds read in the X Rendering extension when performing operations on animated cursors. The vulnerability has been present since XFree86 4.3.0 (2003).
  • CVE-2025-49177 - Data leakage in the implementation of the XFIXES extension caused by the lack of checking of the client request size in the XFixesSetClientDisconnectMode handler (the client can send a shorter request and read the data of the previous request. The vulnerability manifests itself since the release of Xorg Server 21.1 RC1 (2021).

Update: Hot on the heels of this release, X.Org Server 21.1.18 and xwayland 24.1.8 have been released, which include additional changes to fix the CVE-2025-49176 vulnerability.

Source: opennet.ru

Add a comment