CVE-2025-49177

| EUVD-2025-18499 MEDIUM
2025-06-17 [email protected]
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18499
CVE Published
Jun 17, 2025 - 15:15 nvd
MEDIUM 6.1

Tags

Information Disclosure Ubuntu Debian Redhat Suse

Description

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

Analysis

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Vendor Status

Ubuntu

Priority: Medium
xorg-server
Release Status Version
jammy released 2:21.1.4-2ubuntu1.7~22.04.15
noble released 2:21.1.12-1ubuntu1.4
oracular released 2:21.1.13-2ubuntu1.4
plucky released 2:21.1.16-1ubuntu1.1
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream released 21.1.17
questing released 2:21.1.18-1ubuntu1
xwayland
Release Status Version
jammy released 2:22.1.1-1ubuntu0.19
noble released 2:23.2.6-1ubuntu0.6
oracular released 2:24.1.2-1ubuntu0.6
plucky released 2:24.1.6-1ubuntu0.1
upstream released 24.1.7
questing released 2:24.1.6-1ubuntu1
xorg
Release Status Version
xenial not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
upstream not-affected -
questing not-affected code not present
xorg-server-hwe-16.04
Release Status Version
xenial needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
xorg-server-hwe-18.04
Release Status Version
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
xorg-hwe-16.04
Release Status Version
xenial not-affected code not present
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream not-affected -
questing DNE -
xorg-hwe-18.04
Release Status Version
bionic not-affected code not present
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream not-affected -
questing DNE -
USN-7573-1

Debian

Bug #1108369
xorg-server
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 2:1.20.11-1+deb11u17 -
bookworm, bookworm (security) fixed 2:21.1.7-3+deb12u11 -
trixie (security), trixie fixed 2:21.1.16-1.3+deb13u1 -
forky, sid fixed 2:21.1.21-1 -
bookworm fixed 2:21.1.7-3+deb12u10 -
(unstable) fixed 2:21.1.16-1.2 -
xwayland
Release Status Fixed Version Urgency
bookworm vulnerable 2:22.1.9-1 -
trixie vulnerable 2:24.1.6-1 -
forky, sid fixed 2:24.1.9-1 -
(unstable) fixed 2:24.1.8-1 -
DSA-5947-1

Share

CVE-2025-49177 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy