CVE-2023-6816
xorg-server - security update
9.8
CRITICAL
CVSS 3.1
EPSS 3.0%
Description
A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
How to fix CVE-2023-6816
To remediate CVE-2023-6816, upgrade the affected package to a fixed version below.
- —upgrade to 2:1.20.11-1+deb11u11 or later
- —upgrade to 2:1.20.4-1+deb10u13 or later
- —upgrade to 2:1.20.11-1+deb11u11 or later
- —no fix listed
Is CVE-2023-6816 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2:1.20.11-1+deb11u11
- from 0, < 2:1.20.4-1+deb10u13
- from 0, < 2:1.20.11-1+deb11u11
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |