CVE-2022-46340
X.Org Server XTestFakeInput Type Confusion Local Privilege Escalation Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability was found in X.Org. This security flaw occurs becuase the swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. This issue does not affect systems where client and server use the same byte order.
Se encontró una vulnerabilidad en X.Org. Esta falla de seguridad se produce porque el controlador de intercambio para la solicitud XTestFakeInput de la extensión XTest puede dañar la pila si se envían GenericEvents con longitudes superiores a 32 bytes a través de una solicitud XTestFakeInput. Este problema puede provocar una elevación de privilegios locales en sistemas donde el servidor X ejecuta código privilegiado y remoto para sesiones de reenvío ssh X. Este problema no afecta a los sistemas donde el cliente y el servidor utilizan el mismo orden de bytes.
A vulnerability was found in X.Org. The issue occurs due to the swap handler for the XTestFakeInput request of the XTest extension, possibly corrupting the stack if GenericEvents with lengths larger than 32 bytes are sent through the XTestFakeInput request. This flaw can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions. This issue does not affect systems where the client and server use the same byte order.
This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of XTestFakeInput requests. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-11-30 CVE Reserved
- 2022-12-14 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-121: Stack-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://security.gentoo.org/glsa/202305-30 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
X.org Search vendor "X.org" | X Server Search vendor "X.org" for product "X Server" | 1.20.4 Search vendor "X.org" for product "X Server" and version "1.20.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
X.org Search vendor "X.org" | X Server Search vendor "X.org" for product "X Server" | 1.20.4 Search vendor "X.org" for product "X Server" and version "1.20.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
X.org Search vendor "X.org" | X Server Search vendor "X.org" for product "X Server" | 1.20.4 Search vendor "X.org" for product "X Server" and version "1.20.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
X.org Search vendor "X.org" | X Server Search vendor "X.org" for product "X Server" | 1.20.4 Search vendor "X.org" for product "X Server" and version "1.20.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0" | - |
Safe
|
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
|