CVE-2024-21886: Xorg-x11-server: heap buffer overflow in disabledevice
First published: Tue Jan 02 2024(Updated: )
A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xorg-server | <21.1.11 | 21.1.11 |
| redhat/xwayland | <23.2.4 | 23.2.4 |
| debian/xorg-server | 2:1.20.11-1+deb11u13 2:1.20.11-1+deb11u15 2:21.1.7-3+deb12u9 2:21.1.16-1 | |
| debian/xwayland | <=2:22.1.9-1 | 2:24.1.6-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:0320
- https://access.redhat.com/errata/RHSA-2024:0557
- https://access.redhat.com/errata/RHSA-2024:0558
- https://access.redhat.com/errata/RHSA-2024:0597
- https://access.redhat.com/errata/RHSA-2024:0607
- https://access.redhat.com/errata/RHSA-2024:0614
- https://access.redhat.com/errata/RHSA-2024:0617
- https://access.redhat.com/errata/RHSA-2024:0621
- https://access.redhat.com/errata/RHSA-2024:0626
- https://access.redhat.com/errata/RHSA-2024:0629
- https://access.redhat.com/errata/RHSA-2024:2169
- https://access.redhat.com/errata/RHSA-2024:2170
- https://access.redhat.com/errata/RHSA-2024:2995
- https://access.redhat.com/errata/RHSA-2024:2996
- https://access.redhat.com/security/cve/CVE-2024-21886
- https://bugzilla.redhat.com/show_bug.cgi?id=2256542
- https://gitlab.freedesktop.org/xorg/xserver/-/blob/8cce7f5d64d4f1027801892631b65b2c859cc559/dix/devices.c#L449
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2258935
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2258934
- https://launchpad.net/bugs/cve/CVE-2024-21886
- https://lists.x.org/archives/xorg/2024-January/061525.html
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
- https://gitlab.freedesktop.org/xorg/xserver/-/issues/1623
- https://security-tracker.debian.org/tracker/CVE-2024-21886
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21886
- https://nvd.nist.gov/vuln/detail/CVE-2024-21886
- https://ubuntu.com/security/CVE-2024-21886
Frequently Asked Questions
What is the severity of CVE-2024-21886?
CVE-2024-21886 is categorized as a critical vulnerability due to the potential for remote code execution.
How do I fix CVE-2024-21886?
To fix CVE-2024-21886, update the xorg-server to version 21.1.11 or xwayland to version 23.2.4 for Red Hat systems, or the relevant patched versions for Debian.
What causes the CVE-2024-21886 vulnerability?
CVE-2024-21886 is caused by a heap buffer overflow in the DisableDevice function within the X.Org server.
Can CVE-2024-21886 lead to application crashes?
Yes, CVE-2024-21886 can cause application crashes in addition to potentially enabling remote code execution in specific environments.
Is CVE-2024-21886 present in all versions of X.Org server?
No, CVE-2024-21886 affects specific versions of the xorg-server and xwayland packages, especially older versions prior to the recommended updates.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/severity
- agent/author
- collector/nvd-api
- source/NVD
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-21886
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-cve
- agent/trending
- agent/softwarecombine
- agent/source
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- package-manager/debian