// For flags

CVE-2024-31083

Xorg-x11-server: use-after-free in procrenderaddglyphs

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.

Se encontró una vulnerabilidad de use-after-free en la función ProcRenderAddGlyphs() de los servidores Xorg. Este problema ocurre cuando se llama a AllocateGlyph() para almacenar nuevos glifos enviados por el cliente al servidor X, lo que potencialmente resulta en múltiples entradas que apuntan a los mismos glifos no recontados. En consecuencia, ProcRenderAddGlyphs() puede liberar un glifo, lo que lleva a un escenario de use-after-free cuando posteriormente se accede al mismo puntero de glifo. Esta falla permite que un atacante autenticado ejecute código arbitrario en el sistema enviando una solicitud especialmente manipulada.

This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the ProcRenderAddGlyphs function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

*Credits: Jan-Niklas Sohn
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-03-28 CVE Reserved
  • 2024-04-05 CVE Published
  • 2024-04-29 EPSS Updated
  • 2024-11-24 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
References (23)
URL Tag Source
http://www.openwall.com/lists/oss-security/2024/04/03/13
http://www.openwall.com/lists/oss-security/2024/04/12/10
https://lists.debian.org/debian-lts-announce/2024/04/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6TF7FZXOKHIKPZXYIMSQXKVH7WITKV3V
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBLQJIAXEDMEGRGZMSH7CWUJHSVKUWLV
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P73U4DAAWLFZAPD75GLXTGMSTTQWW5AP
URL Date SRC
URL Date SRC
URL Date SRC
https://access.redhat.com/errata/RHSA-2024:1785 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2036 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2037 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2038 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2039 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2040 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2041 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2042 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2080 2024-05-24
https://access.redhat.com/errata/RHSA-2024:2616 2024-05-24
https://access.redhat.com/errata/RHSA-2024:3258 2024-05-24
https://access.redhat.com/errata/RHSA-2024:3261 2024-05-24
https://access.redhat.com/errata/RHSA-2024:3343 2024-05-24
https://access.redhat.com/security/cve/CVE-2024-31083 2024-05-24
https://bugzilla.redhat.com/show_bug.cgi?id=2272000 2024-05-24
https://access.redhat.com/errata/RHSA-2024:9093 2024-11-24
https://access.redhat.com/errata/RHSA-2024:9122 2024-11-24
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
---- -