Login Sign Up

CVE-2023-3138

7.5 HIGH
Denial of Service

📋 TL;DR

A memory corruption vulnerability in libX11 allows malicious X servers or man-in-the-middle proxies to crash X11 client applications. The flaw occurs when untrusted Request, Event, or Error IDs are used as array indexes without bounds checking. This affects any system using vulnerable versions of libX11 to connect to untrusted X servers.

💻 Affected Systems

Products:
  • libX11
  • X.Org X11 libraries
  • applications using X11 protocol
Versions: libX11 versions before 1.8.7
Operating Systems: Linux, Unix-like systems with X11
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when connecting to untrusted X servers or through compromised proxies. Local X servers are typically trusted.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Libx11 by X.org

View all CVEs affecting Libx11 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Client application crash leading to denial of service, potentially disrupting user sessions or automated processes.

🟠

Likely Case

Application crash when connecting to a malicious X server or compromised proxy.

🟢

If Mitigated

No impact when connecting only to trusted X servers within controlled environments.

🌐 Internet-Facing: LOW - X11 connections are rarely exposed to the internet directly.
🏢 Internal Only: MEDIUM - Risk exists in environments with untrusted X servers or compromised internal proxies.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires control of X server or proxy position. Exploitation leads to crash rather than code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libX11 1.8.7 and later

Vendor Advisory: https://lists.x.org/archives/xorg-announce/2023-June/003406.html

Restart Required: Yes

Instructions:

1. Update libX11 package to version 1.8.7 or later. 2. Restart affected X11 client applications. 3. For distributions: 'sudo apt update && sudo apt upgrade libx11' (Debian/Ubuntu) or 'sudo yum update libX11' (RHEL/CentOS).

🔧 Temporary Workarounds

Restrict X11 connections

linux

Only connect to trusted X servers and avoid untrusted networks for X11 traffic.

Use SSH tunneling

linux

Tunnel X11 connections through SSH to encrypt and authenticate connections.

ssh -X user@host

🧯 If You Can't Patch

  • Isolate X11 traffic to trusted networks only
  • Disable X11 forwarding for untrusted connections

🔍 How to Verify

Check if Vulnerable:

Check libX11 version: 'dpkg -l libx11-*' or 'rpm -qa | grep libX11' and compare to 1.8.7.

Check Version:

pkg-config --modversion x11

Verify Fix Applied:

Confirm libX11 version is 1.8.7 or higher using package manager commands.

📡 Detection & Monitoring

Log Indicators:

  • X11 client crashes with segmentation faults
  • unexpected X11 connection terminations

Network Indicators:

  • Unusual X11 protocol traffic from untrusted sources
  • X11 connections through unexpected proxies

SIEM Query:

search 'segmentation fault' AND 'X11' OR 'libX11' in application logs

📊 Metadata

CVE ID: CVE-2023-3138
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-119
Published: June 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3138, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)