Vulnerability Details : CVE-2023-5380
A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
Vulnerability category: Memory Corruption
Products affected by CVE-2023-5380
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:x.org:xwayland:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5380
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5380
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.7
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.0
|
3.6
|
NIST | |
4.7
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.0
|
3.6
|
Red Hat, Inc. | |
5.1
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
1.4
|
3.6
|
Red Hat, Inc. | |
5.1
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
RedHat-CVE-2023-5380 |
CWE ids for CVE-2023-5380
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2023-5380
-
https://access.redhat.com/errata/RHSA-2024:2298
RHSA-2024:2298 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/security/cve/CVE-2023-5380
CVE-2023-5380- Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HO2Q2NP6R62ZRQQG3XQ4AXUT7J2EKKKY/
[SECURITY] Fedora 39 Update: tigervnc-1.13.1-6.fc39 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJXNI4BXURC2BKPNAHFJK3C5ZETB7PER/
[SECURITY] Fedora 37 Update: tigervnc-1.13.1-6.fc37 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.debian.org/security/2023/dsa-5534
Debian -- Security Information -- DSA-5534-1 xorg-serverThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:3067
RHSA-2024:3067 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:2995
RHSA-2024:2995 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WS5E7H4A5J3U5YBCTMRPQVGWK5LVH7D/
[SECURITY] Fedora 38 Update: tigervnc-1.13.1-6.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://security.gentoo.org/glsa/202401-30
X.Org X Server, XWayland: Multiple Vulnerabilities (GLSA 202401-30) — Gentoo security
-
https://access.redhat.com/errata/RHSA-2023:7428
RHSA-2023:7428 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN6KV4XGQJRVAOSM5C3CWMVAXO53COIP/
[SECURITY] Fedora 38 Update: xorg-x11-server-1.20.14-26.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://access.redhat.com/errata/RHSA-2024:2169
RHSA-2024:2169 - Security Advisory - Red Hat Customer Portal
-
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2Patch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20231130-0004/
October 2023 X.Org X Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2244736
2244736 – (CVE-2023-5380) CVE-2023-5380 xorg-x11-server: Use-after-free bug in DestroyWindowIssue Tracking
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AKKIE626TZOOPD533EYN47J4RFNHZVOP/
[SECURITY] Fedora 37 Update: xorg-x11-server-1.20.14-26.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RK66CXMXO3PCPDU3GDY5FK4UYHUXQJT/
[SECURITY] Fedora 39 Update: xorg-x11-server-1.20.14-26.fc39 - package-announce - Fedora Mailing-ListsMailing List
Jump to