Login Sign Up

CVE-2024-0409

7.8 HIGH

📋 TL;DR

This vulnerability in X.Org server's cursor code allows memory corruption by using incorrect private types in Xephyr and Xwayland, potentially leading to privilege escalation or denial of service. It affects systems running vulnerable versions of X.Org server with Xephyr or Xwayland enabled. The flaw specifically overwrites XSELINUX security contexts during cursor initialization.

💻 Affected Systems

Products:
  • X.Org X Server
  • Xephyr
  • Xwayland
Versions: Versions prior to fixes in Red Hat advisories (specific versions vary by distribution)
Operating Systems: Linux distributions using X.Org (RHEL, Fedora, Ubuntu, Debian, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Xephyr or Xwayland enabled. Standard Xorg server without these components may not be vulnerable.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux Desktop by Redhat

View all CVEs affecting Enterprise Linux Desktop →

Enterprise Linux For Ibm Z Systems by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems →

Enterprise Linux For Power Big Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Big Endian →

Enterprise Linux For Power Little Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian →

Enterprise Linux For Scientific Computing by Redhat

View all CVEs affecting Enterprise Linux For Scientific Computing →

Enterprise Linux Server by Redhat

View all CVEs affecting Enterprise Linux Server →

Enterprise Linux Workstation by Redhat

View all CVEs affecting Enterprise Linux Workstation →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Tigervnc by Tigervnc

View all CVEs affecting Tigervnc →

X Server by X.org

View all CVEs affecting X Server →

Xwayland by X.org

View all CVEs affecting Xwayland →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation to root, complete system compromise, or persistent backdoor installation via memory corruption.

🟠

Likely Case

Denial of service (X server crash) or limited privilege escalation within the X session context.

🟢

If Mitigated

Minimal impact if SELinux is disabled or proper access controls restrict X server privileges.

🌐 Internet-Facing: LOW - X servers typically don't expose services directly to the internet.
🏢 Internal Only: MEDIUM - Requires local access or ability to interact with X server, but common in desktop environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access to trigger the cursor initialization flaw. Memory corruption vulnerabilities can be challenging to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific distribution updates (e.g., xorg-x11-server-Xwayland-21.1.11-1.el9 for RHEL 9)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:0320

Restart Required: Yes

Instructions:

1. Update X.Org server packages using your distribution's package manager. 2. For RHEL/CentOS: 'sudo yum update xorg-x11-server*'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade xserver-xorg-core'. 4. Restart X server or reboot system.

🔧 Temporary Workarounds

Disable Xephyr/Xwayland

linux

If not required, disable vulnerable components to reduce attack surface

Check if running: 'ps aux | grep -E "(Xephyr|Xwayland)"', 'Disable via distribution-specific configuration'

Restrict X server privileges

linux

Run X server with reduced privileges using SELinux or other MAC systems

Ensure SELinux is enforcing: 'getenforce' should return 'Enforcing'
Review SELinux policies for X server

🧯 If You Can't Patch

  • Isolate affected systems from untrusted users and networks
  • Implement strict access controls and monitor for unusual X server behavior

🔍 How to Verify

Check if Vulnerable:

Check installed X server version: 'Xorg -version' or 'rpm -q xorg-x11-server-Xwayland' or 'dpkg -l xserver-xorg-core'

Check Version:

Xorg -version 2>&1 | head -1

Verify Fix Applied:

Verify package version matches patched version from vendor advisory and check that X server restarts without errors

📡 Detection & Monitoring

Log Indicators:

  • X server segmentation faults or crashes in /var/log/Xorg.0.log
  • SELinux context violation messages in audit logs

Network Indicators:

  • Unusual local socket connections to X server display

SIEM Query:

source="/var/log/Xorg.0.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2024-0409
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 18, 2024
Last Updated: August 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0409, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)