| Name | CVE-2024-21886 |
| Description | A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3721-1, DSA-5603-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| xorg-server (PTS) | buster | 2:1.20.4-1+deb10u4 | vulnerable |
| buster (security) | 2:1.20.4-1+deb10u14 | fixed |
| bullseye | 2:1.20.11-1+deb11u11 | fixed |
| bullseye (security) | 2:1.20.11-1+deb11u13 | fixed |
| bookworm | 2:21.1.7-3+deb12u5 | fixed |
| bookworm (security) | 2:21.1.7-3+deb12u7 | fixed |
| trixie, sid | 2:21.1.12-1 | fixed |
| xwayland (PTS) | bookworm | 2:22.1.9-1 | vulnerable |
| trixie | 2:23.2.4-1 | fixed |
| sid | 2:23.2.6-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg/2024-January/061525.html
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b
https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
Regression: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1623