CVE-2021-31535 – CVE-2021-31535 is a critical buffer overflow vu... (How to Fix)

Q: What is the severity of CVE-2021-31535?

CVE-2021-31535 has a CVSS score of 9.8 (CRITICAL). CVE-2021-31535 is a critical buffer overflow vulnerability in libX11's XLookupColor function that allows remote attackers to execute arbitrary code on vulnerable X Window System servers. Attackers can send specially crafted color-name requests that exceed protocol limits, causing the server to interpret overflow data as additional X protocol commands. This affects any system running vulnerable versions of X.Org X server or libX11 with X11 sessions enabled.

📋 TL;DR

CVE-2021-31535 is a critical buffer overflow vulnerability in libX11's XLookupColor function that allows remote attackers to execute arbitrary code on vulnerable X Window System servers. Attackers can send specially crafted color-name requests that exceed protocol limits, causing the server to interpret overflow data as additional X protocol commands. This affects any system running vulnerable versions of X.Org X server or libX11 with X11 sessions enabled.

💻 Affected Systems

Products:

X.Org X server
libX11

Versions: X.Org X through X11R7.7, libX11 before 1.7.1

Operating Systems: Linux, Unix-like systems with X11

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using X11 graphical sessions are vulnerable. Wayland-based systems are not affected. The vulnerability requires X11 protocol access to the server.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the X server session allowing attackers to execute arbitrary commands with the privileges of the X server process, potentially leading to full system takeover, disabling X server authentication, and complete control of graphical sessions.

🟠

Likely Case

Remote code execution leading to session hijacking, privilege escalation, and unauthorized access to the graphical desktop environment and user data.

🟢

If Mitigated

Limited impact if X11 forwarding is disabled, network access to X server is restricted, or proper network segmentation isolates X11 traffic.

🌐 Internet-Facing: MEDIUM - While X11 servers are rarely directly internet-facing, they can be exposed through SSH X11 forwarding or misconfigured network settings.

🏢 Internal Only: HIGH - Internal attackers on the same network can exploit this vulnerability to compromise X11 sessions, especially in shared or multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and can be triggered through malicious terminal color sequences or direct X11 protocol manipulation. No authentication required if network access to X server is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libX11 1.7.1 or later

Vendor Advisory: https://lists.x.org/archives/xorg-announce/2021-May/003116.html

Restart Required: Yes

Instructions:

1. Update libX11 package to version 1.7.1 or later. 2. Update X.Org server if using vulnerable version. 3. Restart X server or reboot system. 4. For distributions: 'sudo apt update && sudo apt upgrade libx11' (Debian/Ubuntu) or 'sudo yum update libX11' (RHEL/CentOS).

🔧 Temporary Workarounds

Disable X11 TCP listening

linux

Prevent remote connections to X server by disabling TCP socket listening

sudo sed -i 's/^\#X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
xhost -

Restrict X server access

linux

Limit X server access to local connections only

xhost +local:
export DISPLAY=:0

🧯 If You Can't Patch

Disable X11 forwarding in SSH configuration and restart SSH service
Implement network segmentation to isolate X11 traffic and restrict access to X server ports (typically 6000-6009)

🔍 How to Verify

Check if Vulnerable:

Check libX11 version: 'ldconfig -p | grep libX11' and verify version is below 1.7.1. Check running X server version: 'X -version'.

Check Version:

pkg-config --modversion x11 || X -version 2>&1 | head -1 || dpkg -l libx11* 2>/dev/null | grep ^ii || rpm -qa | grep libX11

Verify Fix Applied:

Verify libX11 version is 1.7.1 or higher: 'pkg-config --modversion x11' or check package manager. Test with known exploit POC if available in safe environment.

📡 Detection & Monitoring

Log Indicators:

Unusual X server connection attempts
Failed authentication attempts on X server
Large XLookupColor requests in X11 protocol logs

Network Indicators:

Unusual traffic on X11 ports (6000-6009)
Large X protocol packets exceeding normal size
Connection attempts from unexpected sources to X server

SIEM Query:

source="x11.log" AND ("XLookupColor" OR "color-name" OR packet_size>4096) OR destination_port>=6000 AND destination_port<=6009 AND protocol="TCP"

📊 Metadata

CVE ID: CVE-2021-31535

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/May/52 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/18/2 Mailing List,Third Party Advisory
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605 Third Party Advisory
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00021.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/
https://lists.freedesktop.org/archives/xorg/ Third Party Advisory
https://lists.x.org/archives/xorg-announce/2021-May/003088.html Vendor Advisory
https://security.gentoo.org/glsa/202105-16 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210813-0001/ Third Party Advisory
https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/ Exploit,Third Party Advisory
https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txt Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4920 Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/2 Mailing List,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/3 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/May/52 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/18/2 Mailing List,Third Party Advisory
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605 Third Party Advisory
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00021.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/
https://lists.freedesktop.org/archives/xorg/ Third Party Advisory
https://lists.x.org/archives/xorg-announce/2021-May/003088.html Vendor Advisory
https://security.gentoo.org/glsa/202105-16 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210813-0001/ Third Party Advisory
https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/ Exploit,Third Party Advisory
https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txt Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4920 Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/2 Mailing List,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31535, you might also want to check these: