Fluid Attacks Database

Description

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	xorg-server	=2:21.1.7-3 \|\| =2:21.1.7-3+deb12u1 \|\| =2:21.1.7-3+deb12u2 \|\| =2:21.1.7-3+deb12u3 \|\| =2:21.1.7-3+deb12u4 \|\| =2:21.1.7-3+deb12u5 \|\| =2:21.1.7-3+deb12u6 \|\| =2:21.1.7-3+deb12u7 \|\| =2:21.1.7-3+deb12u8 \|\| =2:21.1.7-3+deb12u9 \|\| >=0 <2:21.1.7-3+deb12u10	2:21.1.7-3+deb12u10
debian 13	xorg-server	>=0 <2:21.1.16-1.2	2:21.1.16-1.2
debian 14	xorg-server	>=0 <2:21.1.16-1.2	2:21.1.16-1.2
debian 12	xwayland	=2:22.1.9-1 \|\| =2:23.1.0-1 \|\| =2:23.1.1-1 \|\| =2:23.2.0-1 \|\| =2:23.2.1-1 \|\| =2:23.2.2-1 \|\| =2:23.2.3-1 \|\| =2:23.2.4-1 \|\| =2:23.2.6-1 \|\| =2:24.0.99.901-1 \|\| =2:24.1.0-1 \|\| =2:24.1.10-1 \|\| =2:24.1.11-1 \|\| =2:24.1.2-1 \|\| =2:24.1.3-1 \|\| =2:24.1.4-1 \|\| =2:24.1.4-2 \|\| =2:24.1.4-3 \|\| =2:24.1.5-1 \|\| =2:24.1.6-1 \|\| =2:24.1.8-1 \|\| =2:24.1.9-1	-
debian 13	xwayland	=2:24.1.10-1 \|\| =2:24.1.11-1 \|\| =2:24.1.6-1 \|\| =2:24.1.8-1 \|\| =2:24.1.9-1	-
debian 14	xwayland	=2:24.1.6-1 \|\| >=0 <2:24.1.8-1	2:24.1.8-1
rpm rhel9	tigervnc	-	-
rpm rhel6	xorg-x11-server	-	-
rpm rhel7	xorg-x11-server	-	-
rpm rhel7	tigervnc	-	-

1-10 of 18

Aliases

1. CVE-2025-491772. NVD-2025-491773. OSV-DEBIAN-2025-491774. OSV-2025-491775. SECURITY-TRACKER-CVE-2025-49177