CVE-2025-49180

Description

A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.

How to fix CVE-2025-49180

To remediate CVE-2025-49180, upgrade the affected package to a fixed version below.

Debian/xorg-server—upgrade to 2:1.20.11-1+deb11u16 or later
Debian/xwayland—no fix listed

Is CVE-2025-49180 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:1.20.11-1+deb11u16
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-49180