EUVD-2025-18500
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Lifecycle Timeline
4DescriptionNVD
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
AnalysisAI
CVE-2025-49179 is an integer overflow vulnerability in the X Record extension's RecordSanityCheckRegisterClients function that allows authenticated local users to bypass request length validation checks. This flaw enables privilege escalation and potential code execution on affected X11 systems. With a CVSS score of 7.3 and requiring local access with low privileges, this poses a moderate-to-high risk for multi-user systems; exploitation status and POC availability have not been confirmed in public disclosures as of analysis time.
Technical ContextAI
The X Record extension (part of the X11 display server protocol suite) provides request recording and playback capabilities for applications. The RecordSanityCheckRegisterClients function is responsible for validating client record registration requests and enforcing length constraints. The vulnerability stems from CWE-190 (Integer Overflow or Wraparound), where integer arithmetic on request length computation fails to detect overflow conditions. When an attacker supplies crafted input values, the integer calculation wraps around, producing a smaller-than-expected length value that bypasses subsequent validation checks. This allows malformed or oversized requests to pass security checks that should have rejected them. Affected CPE scope includes X11 server implementations and X Record extension components across multiple Linux distributions and Unix-like systems using vulnerable X.Org or similar X server versions.
RemediationAI
Patch immediately to patched X.Org Server releases (version numbers to be confirmed via X.Org security advisory—typically available at x.org/wiki/SecurityPolicy); apply vendor-specific updates for affected Linux distributions and Unix systems; where patching is delayed, restrict X11 access via PAM/security modules or disable X Record extension if not required (via X configuration or compile-time options); isolate multi-user systems and implement principle of least privilege for X server access; monitor system logs for anomalous X Record register operations. Detailed patch versions should be obtained from: X.Org security advisories, Red Hat/CentOS security bulletins, Debian/Ubuntu security notices, and distribution-specific security pages.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | released | 2:21.1.4-2ubuntu1.7~22.04.15 |
| noble | released | 2:21.1.12-1ubuntu1.4 |
| oracular | released | 2:21.1.13-2ubuntu1.4 |
| plucky | released | 2:21.1.16-1ubuntu1.1 |
| trusty | needs-triage | - |
| upstream | released | 21.1.17 |
| bionic | released | 2:1.19.6-1ubuntu4.15+esm13 |
| focal | released | 2:1.20.13-1ubuntu1~20.04.20+esm1 |
| xenial | released | 2:1.18.4-0ubuntu0.12+esm18 |
| questing | released | 2:21.1.18-1ubuntu1 |
| Release | Status | Version |
|---|---|---|
| jammy | released | 2:22.1.1-1ubuntu0.19 |
| noble | released | 2:23.2.6-1ubuntu0.6 |
| oracular | released | 2:24.1.2-1ubuntu0.6 |
| plucky | released | 2:24.1.6-1ubuntu0.1 |
| upstream | released | 24.1.7 |
| questing | released | 2:24.1.6-1ubuntu1 |
| Release | Status | Version |
|---|---|---|
| xenial | not-affected | code not present |
| bionic | not-affected | code not present |
| focal | not-affected | code not present |
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | not-affected | - |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| xenial | released | 2:1.19.6-1ubuntu4.1~16.04.6+esm10 |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| bionic | released | 2:1.20.8-2ubuntu2.2~18.04.11+esm5 |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| xenial | not-affected | code not present |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | not-affected | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | not-affected | code not present |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | not-affected | - |
| questing | DNE | - |
Debian
Bug #1108369| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2:1.20.11-1+deb11u16 | - |
| bullseye (security) | fixed | 2:1.20.11-1+deb11u17 | - |
| bookworm, bookworm (security) | fixed | 2:21.1.7-3+deb12u11 | - |
| trixie (security), trixie | fixed | 2:21.1.16-1.3+deb13u1 | - |
| forky, sid | fixed | 2:21.1.21-1 | - |
| bookworm | fixed | 2:21.1.7-3+deb12u10 | - |
| (unstable) | fixed | 2:21.1.16-1.2 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 2:22.1.9-1 | - |
| trixie | vulnerable | 2:24.1.6-1 | - |
| forky, sid | fixed | 2:24.1.9-1 | - |
| (unstable) | fixed | 2:24.1.8-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today