CVE-2022-2320: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds Access Local Privilege Escalation Vulnerability
First published: Thu Sep 01 2022(Updated: )
A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| X.Org Server | ||
| X.org Xorg-server | =21.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/freedesktop/xorg-xserver/commit/dd8caf39e9e15d8f302e54045dd08d8ebf1025dc
- https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/938
- https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/939
- https://lists.freedesktop.org/archives/xorg-announce/2022-July/003192.html
- https://security.gentoo.org/glsa/202210-30
- https://security.netapp.com/advisory/ntap-20221104-0003/
- https://www.zerodayinitiative.com/advisories/ZDI-22-963/
- https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/938/diffs?commit_id=dd8caf39e9e15d8f302e54045dd08d8ebf1025dc
Frequently Asked Questions
What is CVE-2022-2320?
CVE-2022-2320 is a vulnerability that allows local attackers to escalate privileges on affected installations of X.Org Server.
How can the CVE-2022-2320 vulnerability be exploited?
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
What is the severity of CVE-2022-2320?
The severity of CVE-2022-2320 is high with a CVSS score of 7.8.
Which software is affected by CVE-2022-2320?
X.Org Server version 21.1.0 is affected by CVE-2022-2320.
How do I fix the CVE-2022-2320 vulnerability?
To fix the CVE-2022-2320 vulnerability, it is recommended to update to a patched version of X.Org Server.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-22-963
- alias/ZDI-CAN-16070
- alias/CVE-2022-2320
- vendor/x.org
- canonical/x.org xorg-server
- version/x.org xorg-server/21.1.0
- canonical/x.org server