Vulnerability Description
In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hol
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0
- https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338
FAQ
What is CVE-2022-49737?
CVE-2022-49737 is a vulnerability with a CVSS score of 7.7 (HIGH). In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a loc...
How severe is CVE-2022-49737?
CVE-2022-49737 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-49737?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.