CVE-2024-31083

EUVD-2024-28994

05.04.2024, 12:15

A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhat	CNA	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Debian Releases

Debian Product

Codename

xorg-server

bookworm	2:21.1.7-3+deb12u10 ignored
bookworm (security)	2:21.1.7-3+deb12u11 fixed
bullseye	2:1.20.11-1+deb11u13 fixed
bullseye (security)	2:1.20.11-1+deb11u17 fixed
forky	2:21.1.21-1 fixed
sid	2:21.1.21-1 fixed
trixie	2:21.1.16-1.3+deb13u1 fixed
trixie (security)	2:21.1.16-1.3+deb13u1 fixed

xwayland

bookworm	ignored
forky	2:24.1.9-1 fixed
sid	2:24.1.9-1 fixed
trixie	2:24.1.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xorg

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	not-affected
xenial	not-affected

xorg-server

bionic	Fixed 2:1.19.6-1ubuntu4.15+esm8 released
focal	Fixed 2:1.20.13-1ubuntu1~20.04.17 released
jammy	Fixed 2:21.1.4-2ubuntu1.7~22.04.10 released
mantic	Fixed 2:21.1.7-3ubuntu2.9 released
noble	Fixed 2:21.1.12-1ubuntu1 released
oracular	Fixed 2:21.1.12-1ubuntu1 released
plucky	Fixed 2:21.1.12-1ubuntu1 released
questing	Fixed 2:21.1.12-1ubuntu1 released
trusty	Fixed 2:1.15.1-0ubuntu2.11+esm11 released
xenial	Fixed 2:1.18.4-0ubuntu0.12+esm13 released

xwayland

focal	dne
jammy	Fixed 2:22.1.1-1ubuntu0.13 released
mantic	Fixed 2:23.2.0-1ubuntu0.6 released
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	not-affected

xorg-server-hwe-16.04

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	needs-triage

xorg-server-hwe-18.04

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

xorg-hwe-16.04

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	not-affected

xorg-hwe-18.04

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://access.redhat.com/errata/RHSA-2024:1785

https://access.redhat.com/errata/RHSA-2024:2036

https://access.redhat.com/errata/RHSA-2024:2037

https://access.redhat.com/errata/RHSA-2024:2038

https://access.redhat.com/errata/RHSA-2024:2039

https://access.redhat.com/errata/RHSA-2024:2040

https://access.redhat.com/errata/RHSA-2024:2041

https://access.redhat.com/errata/RHSA-2024:2042

https://access.redhat.com/errata/RHSA-2024:2080

https://access.redhat.com/errata/RHSA-2024:2616

https://access.redhat.com/errata/RHSA-2024:3258

https://access.redhat.com/errata/RHSA-2024:3261

https://access.redhat.com/errata/RHSA-2024:3343

https://access.redhat.com/errata/RHSA-2024:9093

https://access.redhat.com/errata/RHSA-2024:9122

https://access.redhat.com/errata/RHSA-2025:12751

https://access.redhat.com/security/cve/CVE-2024-31083

https://bugzilla.redhat.com/show_bug.cgi?id=2272000

http://www.openwall.com/lists/oss-security/2024/04/03/13

http://www.openwall.com/lists/oss-security/2024/04/12/10

https://access.redhat.com/errata/RHSA-2024:1785

https://access.redhat.com/errata/RHSA-2024:2036

https://access.redhat.com/errata/RHSA-2024:2037

https://access.redhat.com/errata/RHSA-2024:2038

https://access.redhat.com/errata/RHSA-2024:2039

https://access.redhat.com/errata/RHSA-2024:2040

https://access.redhat.com/errata/RHSA-2024:2041

https://access.redhat.com/errata/RHSA-2024:2042

https://access.redhat.com/errata/RHSA-2024:2080

https://access.redhat.com/errata/RHSA-2024:2616

https://access.redhat.com/errata/RHSA-2024:3258

https://access.redhat.com/errata/RHSA-2024:3261

https://access.redhat.com/errata/RHSA-2024:3343

https://access.redhat.com/security/cve/CVE-2024-31083

https://bugzilla.redhat.com/show_bug.cgi?id=2272000

https://lists.debian.org/debian-lts-announce/2024/04/msg00009.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6TF7FZXOKHIKPZXYIMSQXKVH7WITKV3V/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBLQJIAXEDMEGRGZMSH7CWUJHSVKUWLV/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P73U4DAAWLFZAPD75GLXTGMSTTQWW5AP/