CVE-2023-1393

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name	Vendor	Start Version	End Version
X_server	X.org	*	21.1.8 (excluding)
Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION	RedHat	tigervnc-0:1.1.0-25.el6_10.13	*
Red Hat Enterprise Linux 7	RedHat	tigervnc-0:1.8.0-25.el7_9	*
Red Hat Enterprise Linux 7	RedHat	xorg-x11-server-0:1.20.4-23.el7_9	*
Red Hat Enterprise Linux 8	RedHat	tigervnc-0:1.12.0-9.el8_7.3	*
Red Hat Enterprise Linux 8	RedHat	xorg-x11-server-0:1.20.11-17.el8	*
Red Hat Enterprise Linux 8	RedHat	xorg-x11-server-Xwayland-0:21.1.3-12.el8	*
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	RedHat	tigervnc-0:1.9.0-16.el8_1.3	*
Red Hat Enterprise Linux 8.2 Advanced Update Support	RedHat	tigervnc-0:1.9.0-15.el8_2.3	*
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	RedHat	tigervnc-0:1.9.0-15.el8_2.3	*
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	RedHat	tigervnc-0:1.9.0-15.el8_2.3	*
Red Hat Enterprise Linux 8.4 Extended Update Support	RedHat	tigervnc-0:1.11.0-8.el8_4.2	*
Red Hat Enterprise Linux 8.6 Extended Update Support	RedHat	tigervnc-0:1.12.0-6.el8_6.3	*
Red Hat Enterprise Linux 9	RedHat	tigervnc-0:1.12.0-5.el9_1.2	*
Red Hat Enterprise Linux 9	RedHat	xorg-x11-server-0:1.20.11-19.el9	*
Red Hat Enterprise Linux 9	RedHat	xorg-x11-server-Xwayland-0:22.1.9-2.el9	*
Red Hat Enterprise Linux 9.0 Extended Update Support	RedHat	tigervnc-0:1.11.0-22.el9_0.2	*
Tigervnc	Ubuntu	bionic	*
Tigervnc	Ubuntu	esm-apps/focal	*
Tigervnc	Ubuntu	esm-apps/jammy	*
Tigervnc	Ubuntu	focal	*
Tigervnc	Ubuntu	jammy	*
Tigervnc	Ubuntu	lunar	*
Tigervnc	Ubuntu	mantic	*
Tigervnc	Ubuntu	trusty	*
Tigervnc	Ubuntu	xenial	*
Xorg-server	Ubuntu	bionic	*
Xorg-server	Ubuntu	devel	*
Xorg-server	Ubuntu	esm-infra/bionic	*
Xorg-server	Ubuntu	esm-infra/focal	*
Xorg-server	Ubuntu	focal	*
Xorg-server	Ubuntu	jammy	*
Xorg-server	Ubuntu	kinetic	*
Xorg-server	Ubuntu	lunar	*
Xorg-server	Ubuntu	mantic	*
Xorg-server	Ubuntu	noble	*
Xorg-server	Ubuntu	oracular	*
Xorg-server	Ubuntu	plucky	*
Xorg-server	Ubuntu	questing	*
Xorg-server	Ubuntu	trusty	*
Xorg-server	Ubuntu	trusty/esm	*
Xorg-server	Ubuntu	upstream	*
Xorg-server	Ubuntu	xenial	*
Xorg-server-hwe-16.04	Ubuntu	xenial	*
Xorg-server-hwe-18.04	Ubuntu	bionic	*
Xorg-server-hwe-18.04	Ubuntu	esm-infra/bionic	*
Xorg-server-lts-utopic	Ubuntu	trusty	*
Xorg-server-lts-vivid	Ubuntu	trusty	*
Xorg-server-lts-wily	Ubuntu	trusty	*
Xorg-server-lts-xenial	Ubuntu	trusty	*
Xwayland	Ubuntu	devel	*
Xwayland	Ubuntu	jammy	*
Xwayland	Ubuntu	kinetic	*
Xwayland	Ubuntu	lunar	*
Xwayland	Ubuntu	mantic	*
Xwayland	Ubuntu	noble	*
Xwayland	Ubuntu	oracular	*
Xwayland	Ubuntu	plucky	*
Xwayland	Ubuntu	questing	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-1393
CWE	https://cwe.mitre.org/data/definitions/416.html

Use After Free

Weakness

Affected Software

Potential Mitigations

References