CVE-2024-21885

Description

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

How to fix CVE-2024-21885

To remediate CVE-2024-21885, upgrade the affected package to a fixed version below.

—upgrade to 2:1.20.11-1+deb11u11 or later
—no fix listed

Is CVE-2024-21885 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:1.20.11-1+deb11u11
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-21885