Description
A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
Problem types
Product status
0:24.1.5-5.el10_0 (rpm) before *
0:24.1.5-5.el10_1 (rpm) before *
0:1.1.0-25.el6_10.15 (rpm) before *
0:1.20.4-33.el7_9 (rpm) before *
0:1.8.0-36.el7_9.3 (rpm) before *
0:21.1.3-19.el8_10 (rpm) before *
0:1.20.11-27.el8_10 (rpm) before *
0:1.15.0-8.el8_10 (rpm) before *
0:1.9.0-15.el8_2.15 (rpm) before *
0:1.20.6-5.el8_2 (rpm) before *
0:1.11.0-8.el8_4.14 (rpm) before *
0:1.20.10-3.el8_4 (rpm) before *
0:1.11.0-8.el8_4.14 (rpm) before *
0:1.20.10-3.el8_4 (rpm) before *
0:1.12.0-6.el8_6.15 (rpm) before *
0:1.20.11-6.el8_6 (rpm) before *
0:1.12.0-6.el8_6.15 (rpm) before *
0:1.20.11-6.el8_6 (rpm) before *
0:1.12.0-6.el8_6.15 (rpm) before *
0:1.20.11-6.el8_6 (rpm) before *
0:1.12.0-15.el8_8.16 (rpm) before *
0:1.20.11-17.el8_8 (rpm) before *
0:1.12.0-15.el8_8.16 (rpm) before *
0:1.20.11-17.el8_8 (rpm) before *
0:1.20.11-32.el9_6 (rpm) before *
0:1.14.1-9.el9_6 (rpm) before *
0:23.2.7-5.el9_6 (rpm) before *
0:1.15.0-6.el9_7 (rpm) before *
0:23.2.7-5.el9_7 (rpm) before *
0:1.20.11-32.el9_7 (rpm) before *
0:1.11.0-22.el9_0.16 (rpm) before *
0:1.20.11-12.el9_0 (rpm) before *
0:1.12.0-14.el9_2.13 (rpm) before *
0:1.20.11-19.el9_2 (rpm) before *
0:1.13.1-8.el9_4.8 (rpm) before *
0:1.20.11-27.el9_4 (rpm) before *
Timeline
| 2025-10-09: | Reported to Red Hat. |
| 2025-10-29: | Made public. |
Credits
Red Hat would like to thank Jan-Niklas Sohn (Trend Micro Zero Day Initiative) for reporting this issue.
References
lists.debian.org/debian-lts-announce/2025/10/msg00033.html
www.openwall.com/lists/oss-security/2025/10/28/7
access.redhat.com/errata/RHSA-2025:19432 (RHSA-2025:19432)
access.redhat.com/errata/RHSA-2025:19433 (RHSA-2025:19433)
access.redhat.com/errata/RHSA-2025:19434 (RHSA-2025:19434)
access.redhat.com/errata/RHSA-2025:19435 (RHSA-2025:19435)
access.redhat.com/errata/RHSA-2025:19489 (RHSA-2025:19489)
access.redhat.com/errata/RHSA-2025:19623 (RHSA-2025:19623)
access.redhat.com/errata/RHSA-2025:19909 (RHSA-2025:19909)
access.redhat.com/errata/RHSA-2025:20958 (RHSA-2025:20958)
access.redhat.com/errata/RHSA-2025:20960 (RHSA-2025:20960)
access.redhat.com/errata/RHSA-2025:20961 (RHSA-2025:20961)
access.redhat.com/errata/RHSA-2025:21035 (RHSA-2025:21035)
access.redhat.com/errata/RHSA-2025:22040 (RHSA-2025:22040)
access.redhat.com/errata/RHSA-2025:22041 (RHSA-2025:22041)
access.redhat.com/errata/RHSA-2025:22051 (RHSA-2025:22051)
access.redhat.com/errata/RHSA-2025:22055 (RHSA-2025:22055)
access.redhat.com/errata/RHSA-2025:22056 (RHSA-2025:22056)
access.redhat.com/errata/RHSA-2025:22077 (RHSA-2025:22077)
access.redhat.com/errata/RHSA-2025:22096 (RHSA-2025:22096)
access.redhat.com/errata/RHSA-2025:22164 (RHSA-2025:22164)
access.redhat.com/errata/RHSA-2025:22167 (RHSA-2025:22167)
access.redhat.com/errata/RHSA-2025:22364 (RHSA-2025:22364)
access.redhat.com/errata/RHSA-2025:22365 (RHSA-2025:22365)
access.redhat.com/errata/RHSA-2025:22426 (RHSA-2025:22426)
access.redhat.com/errata/RHSA-2025:22427 (RHSA-2025:22427)
access.redhat.com/errata/RHSA-2025:22667 (RHSA-2025:22667)
access.redhat.com/errata/RHSA-2025:22729 (RHSA-2025:22729)
access.redhat.com/errata/RHSA-2025:22742 (RHSA-2025:22742)
access.redhat.com/errata/RHSA-2025:22753 (RHSA-2025:22753)
access.redhat.com/security/cve/CVE-2025-62229
bugzilla.redhat.com/show_bug.cgi?id=2402649 (RHBZ#2402649)
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
