Skip to main content

Red Hat CVE-2025-62229

HIGH
Use After Free (CWE-416)
2025-10-30 secalert@redhat.com
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 20, 2026 - 14:33 vuln.today

DescriptionCVE.org

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

AnalysisAI

Use-after-free in X.Org X server and Xwayland during Present extension notification processing allows local authenticated users to achieve arbitrary code execution or denial of service. The flaw affects core display server components across multiple Linux distributions, with Red Hat confirming patches through 15 security advisories (RHSA-2025:19432 through RHSA-2025:22055). CVSS 7.3 reflects high integrity and availability impact with low confidentiality impact. No active exploitation confirmed (not in CISA KEV). EPSS data not provided, but the local attack vector and authentication requirement reduce remote exploitation risk despite the severity of potential impact.

Technical ContextAI

The X.Org X server and Xwayland implement the X11 Present extension, which provides mechanisms for timing and synchronization of window content updates. This vulnerability (CWE-416: Use After Free) occurs during notification creation within the Present extension processing logic. Improper error handling fails to properly invalidate pointers when notification objects are freed, leaving dangling references. Subsequent access to these freed memory regions creates a use-after-free condition that can be leveraged for memory corruption. Both X.Org X server (the traditional X11 display server) and Xwayland (the compatibility layer allowing X11 applications to run on Wayland compositors) share this vulnerable code path. The flaw exists in core display server infrastructure used across virtually all Linux desktop environments, making it broadly applicable but requiring local system access to exploit.

Affected ProductsAI

X.Org X server and Xwayland packages across Red Hat Enterprise Linux distributions are confirmed affected. Red Hat security advisories RHSA-2025:19432, RHSA-2025:19433, RHSA-2025:19434, RHSA-2025:19435, RHSA-2025:19489, RHSA-2025:19623, RHSA-2025:19909, RHSA-2025:20958, RHSA-2025:20960, RHSA-2025:20961, RHSA-2025:21035, RHSA-2025:22040, RHSA-2025:22041, RHSA-2025:22051, and RHSA-2025:22055 cover multiple RHEL versions and derivative distributions. The vulnerability affects both traditional X.Org server implementations and Xwayland compatibility layers. Other Linux distributions using X.Org or Xwayland from upstream sources are likely affected pending vendor-specific advisories. Specific version ranges not provided in available data; consult distribution-specific RHSA advisories at https://access.redhat.com/errata/ for exact affected and fixed versions per distribution release.

RemediationAI

Apply vendor-released patches immediately for affected X.Org X server and Xwayland packages. Red Hat users should consult the specific RHSA advisory matching their distribution version and apply updates through standard package management (yum/dnf update xorg-x11-server xorg-x11-server-Xwayland). Red Hat advisories available at https://access.redhat.com/errata/RHSA-2025:19432 through RHSA-2025:22055 provide distribution-specific patched versions. Other Linux distribution users should check vendor security advisories for availability of patched packages. If immediate patching is not possible, limit local user access to trusted accounts only, disable multi-user login capabilities on affected systems, and implement mandatory access controls (SELinux, AppArmor) to restrict X server exploitation impact. Disabling the Present extension entirely may prevent exploitation but will break application functionality relying on this extension, including most modern desktop compositors and video playback applications, making this workaround impractical for production desktop environments. Monitor systems for unexpected X server crashes or memory corruption indicators as potential exploitation attempts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.6 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.33 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.18 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.30 Affected
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected

Share

CVE-2025-62229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy