Security Advisories

This page details security issues that have been found in X.Org, and their remedies.

Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase.

While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality.

See the Security Checklist for the list of things to go from a bug report to a released advisory.

X.Org 7.7

  • January 16, 2024 Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4

    • CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
    • CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
    • CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
    • CVE-2024-21886: Heap buffer overflow in DisableDevice
    • CVE-2024-0409: SELinux context corruption
    • CVE-2024-0408: SELinux unlabeled GLX PBuffer
    • Fixed in xwayland 23.2.4
    • Fixed in xorg-server 21.1.11
    • Please see the advisory for more information
  • October 2, 2023 Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17

    • CVE-2023-43785 libX11: out-of-bounds memory access in _XkbReadKeySyms()
    • CVE-2023-43786 libX11: stack exhaustion from infinite recursion in PutSubImage()
    • CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to a heap overflow
    • CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
    • CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
    • Fixed in libX11 1.8.7 and libXpm 3.5.17
    • Please see the advisory for more information
  • June 15, 2023 Buffer overflows in InitExt.c in libX11 prior to 1.8.6

  • January 17, 2023 Issues handling XPM files in libXpm prior to 3.5.15

    • CVE-2022-46285 Infinite loop on unclosed comments
    • CVE-2022-44617 Runaway loop on width of 0 and enormous height
    • CVE-2022-4883 compression commands depend on $PATH
    • Fixed in libXpm 3.5.15
    • Please see the advisory for more information
  • December 14, 2022 Multiple security issues in X server extensions

    • CVE-2022-46340 / ZDI-CAN-19265 XTestSwapFakeInput stack overflow
    • CVE-2022-46341 / ZDI-CAN-19381 XIPassiveUngrab out-of-bounds access
    • CVE-2022-46342 / ZDI-CAN-19400 XvdiSelectVideoNotify use-after-free
    • CVE-2022-46343 / ZDI-CAN-19404 ScreenSaverSetAttributes use-after-free
    • CVE-2022-46344 / ZDI-CAN-19405 XIChangeProperty out-of-bounds access
    • CVE-2022-4283 / ZDI-CAN-19530 XkbGetKbdByName use-after-free
    • Fixed in xwayland 22.1.6
    • Fixed in xorg-server 21.1.5
    • Please see the advisory for more information
  • December 14, 2021 Multiple input validation failures in X server extensions

    • CVE-2021-4008 / ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access
    • CVE-2021-4009 / ZDI-CAN-14950 SProcXFixesCreatePointerBarrier out-of-bounds access
    • CVE-2021-4010 / ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access
    • CVE-2021-4011 / ZDI-CAN-14952 SwapCreateRegister out-of-bounds access
    • Fixed in xwayland 21.1.4
    • Fixed in xorg-server 21.1.2
    • Fixed in xorg-server 1.20.14
    • Please see the advisory for more information
  • April 13, 2021 Input validation failures in X server XInput extension

  • December 1, 2020 Multiple input validation failures in X server XKB extension

    • CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access
    • CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow
    • Fixed in xorg-server 1.20.10
    • Please see the advisory for more information
  • August 25, 2020 Multiple input validation failures in X server extensions

    • CVE-2020-14345 / ZDI CAN 11428: XkbSetNames Out-Of-Bounds Access. The handler for the XkbSetNames request does not validate the request length before accessing its contents.
    • CVE-2020-14346 / ZDI CAN 11429: XIChangeHierarchy Integer Underflow. An integer underflow exists in the handler for the XIChangeHierarchy request.
    • CVE-2020-14361 / ZDI CAN 11573: XkbSelectEvents Integer Underflow. An integer underflow exist in the handler for the XkbSelectEvents request.
    • CVE-2020-14362 / ZDI CAN 11574: XRecordRegisterClients Integer Underflow. An integer underflow exist in the handler for the CreateRegister request of the X record extension.
    • Fixed in xorg-server 1.20.9
    • Please see the advisory for more information.
  • August 25, 2020 Double free in libX11 locale handling code

    • CVE-2020-14363: There is an integer overflow and a double free vulnerability in the way LibX11 handles locales.
    • Fixed in libX11 1.6.12
    • Please see the advisory for more information.
  • July 31, 2020 Heap corruption in the X input method client in libX11

    • CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
    • Fixed in libX11 1.6.10
    • Please see the advisory for more information.
  • July 31, 2020 X Server Pixel Data Uninitialized Memory Information Disclosure

    • CVE-2020-14347: Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, which could lead to leak uninitialized heap memory to clients.
    • Fixed in xorg-server 1.20.9
    • Please see the advisory for more information.
  • Oct. 25, 2018 Privilege escalation and file overwrite in X.Org X server 1.19 and later CVE-2018-14665

  • Aug. 22, 2018 Out-of-bounds write in libXcursor prior to 1.1.15

    • libXcursor could write one byte out of bounds when processing Xcursor theme files. CVE-2015-9262.
    • Please see the advisory for more information.
  • Aug. 21, 2018 Protocol handling issues in libX11 prior to 1.6.6

    • libX11 can write out of bounds or crash if servers send invalid replies. CVE-2018-14598, CVE-2018-14599, CVE-2018-14600.
    • Please see the advisory for more information.
  • Oct. 12, 2017 Protocol handling issues in X servers prior to 1.19.5

    • The X server was not checking lengths of many requests from clients, and could read out of bounds. CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183, CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187
    • Please see the xorg-server 1.19.5 release announcement for more information.
  • Oct. 4, 2017 X server implementation issues in MIT-SHM & XKB extensions

    • The X server can abort or overwrite the shared memory segment of another client if a client sends an invalid shared memory resource id. CVE-2017-13721.
    • The X server can write out of bounds when handling XKB strings. CVE-2017-13723.
    • Please see the advisory for more information.
  • Oct. 4, 2016 Protocol handling issues in X Window System client libraries

    • X client libraries can overflow buffers or corrupt memory in clients if servers send invalid replies. CVE-2016-5407. CVE-2016-7942, CVE-2016-7943, CVE-2016-7944, CVE-2016-7945, CVE-2016-7946, CVE-2016-7947, CVE-2016-7948, CVE-2016-7949, CVE-2016-7950, CVE-2016-7951, CVE-2016-7952, CVE-2016-5953.
    • Please see the advisory (extended version) for more information.
  • Apr. 14, 2015 - Buffer overflow in MakeBigReq macro in libX11 prior to 1.6

    • CVE-2013-7439 was assigned to track a buffer overflow fixed in libX11 in 2013 which requires other packages to be recompiled if they use the MakeBigReq() or SetReqLen() macros from <X11/XlibInt.h>.
    • Please see the advisory for more information.
  • Mar. 17, 2015 - More BDF file parsing issues in libXfont

    • CVE-2015-1802..1804: The libXfont library used by the X server to read font files can read or write memory out of bounds when loading invalid BDF font files provided by a user.
    • Please see the advisory for more information.
  • Feb 10, 2015 - Information leak in the XkbSetGeometry request of X servers

    • CVE-2015-0255: A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs.
    • Please see the advisory for more information.
  • Dec. 9, 2014 - Protocol handling issues in X Window System servers

    • CVE-2014-8091..8103: X servers can access uninitialized memory or overwrite arbitrary memory in the X server process if clients send invalid requests. This could cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Please see the advisory for more information.
  • May 13, 2014 - X Font Service Protocol & Font metadata file handling issues in libXfont

    • CVE-2014-0209: integer overflow of allocations in font metadata file parsing
    • CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
    • CVE-2014-0211: integer overflows calculating memory needs for xfs replies
    • Please see the advisory for more information.
  • Jan. 7, 2014 - Stack buffer overflow in parsing of BDF font files in libXfont

    • CVE-2013-6462: An authenticated X client can cause an X server to read a font file that overflows a buffer on the stack in the X server, potentially leading to crash and/or privilege escalation in setuid servers. The fix is included in libXfont 1.4.7. Please see the advisory for more information.
  • Oct. 8, 2013 - Use after free in Xserver handling of ImageText requests

    • CVE-2013-4396: An authenticated X client can cause an X server to use memory after it was freed, potentially leading to crash and/or memory corruption. Please see the advisory for more information.
  • May 23, 2013 - Protocol handling issues in X Window System client libraries

    • CVE-2013-1981..2005, CVE-2013-2062..2066: X client libraries can overflow buffers or corrupt memory in clients if servers send invalid replies. Please see the advisory for more information.
  • Apr 17, 2013 - vulnerability in VT-switch on Linux:

X.Org 7.6

  • Jan 19, 2012 - vulnerability in default keyboard maps:
  • Oct 18, 2011 - 2 vulnerabilities related to X server lock files:
    • CVE-2011-4028: File disclosure vulnerability: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files.
    • CVE-2011-4029: File permission change vulnerability: It is possible for a non-root user to set the permissions for all users on any file or directory to 444, giving unwanted read access or causing denies of service (by removing execute permission). This is caused by a race between creating the lock file and setting its access modes. Please see the advisory for more information. Patches are available: CVE-2011-4028 CVE-2011-4029 Fixes are included in xserver 1.11.2RC2 and later.
  • Aug 10, 2011 - CVE-2011-2895: A specially crafted LZW compressed font file may be used by a user who can connect to the X server to overflow a buffer in the X server, possibly leading to a local privilege escalation. Please see the advisory for more information. Patch is available: CVE-2011-2895 Fix is included in libXfont 1.4.4 and later.
  • Apr 5, 2011 - CVE-2011-0465: By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb. Please see the advisory for more information. Patch is available: CVE-2011-0465

X.Org 7.3

X.Org 7.2

  • April 3, 2007 - CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1352: Lack of validation of parameters passed to the X server and libX11 by client application can lead to various kinds of integer overflows or stack overflows that can be used to overwrite data in the X server memory. Please see the advisory for more information. Patches are available for 7.2.

X.Org 7.1

  • January 9, 2007 - CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server's memory. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.
  • September 12, 2006 - It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.

X.Org 6.9.0/7.0

  • June 20, 2006 - A lack of checks for setuid() failures when invoked by a privileged process (e.g., X server, xdm, xterm, if installed setuid or setgid) may cause the process to execute certain privileged operations (file access) as root while it was intended to be executed with a less privileged effective user ID, on systems where setuid() called by root can fail. This can be used by a malicious local user to overwrite files and possibly elevate privileges in some corner cases. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.
  • May 2, 2006 - A security vulnerability has been found in the X.Org server as shipped with X11R6.8.x, X11R6.9.0 and X11R7.0 (xorg-server 1.0.x) -- this is CVE-2006-1526. Clients authorized to connect to the X server are able to crash it and to execute malicious code within the X server. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0 and 7.0.
  • March 20, 2006 - A security vulnerability has been found in the X.Org server as shipped with X11R6.9.0 and X11R7.0 (xorg-server 1.0.0 and 1.0.1) -- this is CVE-2006-0745. Local users were able to escalate privileges to root and cause a DoS if the Xorg server was installed setuid root (the default). Note that earlier releases are not vulnerable. Please see the advisory for more information. Patches are available for 6.9.0 and 7.0. If you are running X11R7.0, you can upgrade xorg-server to 1.0.2 or later (release announcement).

X.Org 6.8.2

  • September 12, 2005 - Due to missing range checks for the pixel size of the pixmap subsequent pixmap read/write functions can access memory outside of the allocated pixmap by any X client that can connect to the affected X server. This way any user having access to the server can access memory that is accessible from within the X server and/or crash the server. The CVE number for these vulnerabilities is CVE-2005-2495. A patch against 6.8.2 is available.

X.Org 6.8.1

  • November 17, 2004 - X.Org was made aware of additional security vulnerability in libXpm, the X Pixmap library, which is shipped as part of the X Window System. The affected library is used in many popular application for image viewing and manipulation. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2004-0914 to these issues. Patches are provided for 6.8.0 and 6.8.1. The problem is fixed in 6.8.2 and later.

X.Org 6.8.0

  • September 15, 2004 - A security vulnerability has been found in libXpm, the X pixmap library which is shipped as part of the X Window System. Please check here for further information. This problem has been fixed in 6.8.1. We also provide a patch for 6.8.0 and earlier.

X11R6.6 and older

This is not a complete listing of older security issues, just those discovered more recently

  • July 24, 2012 - CVE-2012-1699: A vulnerability has been found in the X11R6 font server code in the handling of the SetEventMask request in xfs which can lead to either denial of service or a leak of information from the xfs process address space. Please see the advisory for more information. Patch is included in the advisory. Fix is included in XFree86 3.3.3 and later, and X.Org X11R6.7 and later.