What is the CVSS score of CVE-2025-49176?

CVE-2025-49176 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Red Hat are affected by CVE-2025-49176?

CVE-2025-49176 affects systems using the Big Requests extension and could allow attackers to bypass file size restrictions through integer overflow, potentially enabling denial-of-service attacks or…. A patch is available.

How to fix or mitigate CVE-2025-49176?

Within 24 hours: Identify all systems running Big Requests extension and document current usage. Within 7 days: Implement network segmentation to restrict Big Requests traffic to trusted sources only, and configure Web Application Firewalls (WAF) to enforce strict request size limits independent of the vulnerable extension. Within 30 days: Monitor vendor announcements for patch availability and establish a deployment plan; consider disabling Big Requests extension if not operationally critical.

Red Hat CVE-2025-49176

EUVD-2025-18503 HIGH

Integer Overflow or Wraparound (CWE-190)

2025-06-17 secalert@redhat.com

Denial Of Service Integer Overflow Red Hat Suse

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18503

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

CVE Published

Jun 17, 2025 - 15:15 nvd

HIGH 7.3

DescriptionNVD

A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.

AnalysisAI

CVE-2025-49176 is an integer overflow vulnerability in the X11 Big Requests extension that allows local attackers with low privileges to bypass request size validation by triggering a multiplication-based integer wrap-around, enabling denial of service or potential code execution through oversized X protocol requests. The vulnerability affects X11 server implementations that use the Big Requests extension; while not currently listed in CISA KEV catalog, the 7.3 CVSS score and local attack vector indicate moderate-to-high real-world risk for multi-user systems. No public POC or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The Big Requests extension (part of X11/Xorg protocol stack) extends the maximum request size limit for X protocol communication beyond the standard 262,144-byte limit. The vulnerability exists in the request size validation logic, where the request length parameter is multiplied by 4 before comparison against a configured maximum size threshold—a common pattern for converting byte counts to word counts in X protocol processing. This multiplication (CWE-190: Integer Overflow or Wraparound) can cause the 32-bit integer to wrap around, resulting in a small value that passes the size check despite the original request being much larger. Affected components include Xorg server implementations and X11 protocol libraries that implement the Big Requests extension (BIGREQ extension). The root cause is improper input validation prior to arithmetic operations on untrusted client-supplied values.

RemediationAI

Immediate: (1) Update Xorg X Server to the patched version (version number pending—check security advisories from Xorg, Debian, Red Hat, and Ubuntu); (2) Verify Big Requests extension is patched via 'Xvfb -version' or 'grep -i bigreq' on running X servers. Short-term mitigation: (1) Disable Big Requests extension if not required by applications (uncommon configuration), (2) Restrict local X access via xhost controls or by limiting users with X session access, (3) Use authentication mechanisms like MIT-MAGIC-COOKIE or X11 socket permissions to limit client connections. Long-term: (1) Enable SELinux or AppArmor profiles to restrict X server process capabilities, (2) Run X server in containerized/sandboxed environments with reduced privileges, (3) Apply principle of least privilege for local user accounts. Patch availability: Check Xorg security advisories, RHEL/CentOS updates via 'yum update xorg-x11-server', Debian/Ubuntu via 'apt update && apt upgrade xorg-server', and respective CVE tracker pages for each distribution.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Ubuntu

Priority: Medium

xorg-server

Release	Status	Version
jammy	released	2:21.1.4-2ubuntu1.7~22.04.15
noble	released	2:21.1.12-1ubuntu1.4
oracular	released	2:21.1.13-2ubuntu1.4
plucky	released	2:21.1.16-1ubuntu1.1
trusty	needs-triage	-
upstream	released	21.1.17
bionic	released	2:1.19.6-1ubuntu4.15+esm13
focal	released	2:1.20.13-1ubuntu1~20.04.20+esm1
xenial	released	2:1.18.4-0ubuntu0.12+esm18
questing	released	2:21.1.18-1ubuntu1

xwayland

Release	Status	Version
jammy	released	2:22.1.1-1ubuntu0.19
noble	released	2:23.2.6-1ubuntu0.6
oracular	released	2:24.1.2-1ubuntu0.6
plucky	released	2:24.1.6-1ubuntu0.1
upstream	released	24.1.7
questing	released	2:24.1.6-1ubuntu1

xorg-hwe-16.04

Release	Status	Version
plucky	DNE	-
xenial	not-affected	code not present
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
upstream	not-affected	-
questing	DNE	-

xorg

Release	Status	Version
xenial	not-affected	code not present
bionic	not-affected	code not present
focal	not-affected	code not present
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	not-affected	-
questing	not-affected	code not present

xorg-server-hwe-16.04

Release	Status	Version
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
xenial	released	2:1.19.6-1ubuntu4.1~16.04.6+esm10
questing	DNE	-

xorg-server-hwe-18.04

Release	Status	Version
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
bionic	released	2:1.20.8-2ubuntu2.2~18.04.11+esm5
questing	DNE	-

xorg-hwe-18.04

Release	Status	Version
bionic	not-affected	code not present
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	not-affected	-
questing	DNE	-

USN-7573-2 USN-7573-1

Debian

Bug #1108073