CVE-2022-2320 : A flaw was found in the Xorg-x11-server. The specific flaw exists within the han

A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.

Published 2022-09-01 21:15:09

Updated 2024-02-01 02:27:15

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory CorruptionExecute code

Products affected by CVE-2022-2320

X.org » Xorg-server » Version: 21.1.0
cpe:2.3:a:x.org:xorg-server:21.1.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-2320

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-2320

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-2320

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.
Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2022-2320

https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/938

Fix CVE-2022-2319, CVE-2022-2320 (!938) · Merge requests · xorg / xserver · GitLab
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/freedesktop/xorg-xserver/commit/dd8caf39e9e15d8f302e54045dd08d8ebf1025dc

xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck · freedesktop/xorg-xserver@dd8caf3 · GitHub
Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20221104-0003/

September 2022 X.Org X Server Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-22-963/

ZDI-22-963 | Zero Day Initiative
Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/202210-30

X.Org X server, XWayland: Multiple Vulnerabilities (GLSA 202210-30) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/939

[server 21.1] Fix CVE-2022-2319, CVE-2022-2320 (!939) · Merge requests · xorg / xserver · GitLab
Patch;Third Party Advisory

CVEs referencing this url
https://lists.freedesktop.org/archives/xorg-announce/2022-July/003192.html

X.Org Security Advisory: July 12, 2022
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-2320

Products affected by CVE-2022-2320

Exploit prediction scoring system (EPSS) score for CVE-2022-2320

CVSS scores for CVE-2022-2320

CWE ids for CVE-2022-2320

References for CVE-2022-2320