-
CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors)
The X Rendering extension allows creating animated cursors providing a
list of cursors.
By default, the Xserver assumes at least one cursor is provided while a
client may actually pass no cursor at all, which causes an out-of-bound
read creating the animated cursor and a crash of the Xserver.
-
CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
The handler of XFixesSetClientDisconnectMode does not check the client
request length.
A client could send a shorter request and read data from a former
request.
-
CVE-2025-49178: Unprocessed client request via bytes to ignore
When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.
-
CVE-2025-49179: Integer overflow in X Record extension
The RecordSanityCheckRegisterClients() function in the X Record extension
implementation of the Xserver checks for the request length, but does not
check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.
-
CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty)
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().