XWayland & X.Org Server See New Releases Due To Three More Security Vulnerabilities.


Well-known member
Jan 12, 2021
Reaction score
The X.Org Server and XWayland saw new point releases today as a result of three more security vulnerabilities being disclosed.

October began with new X.Org security vulnerabilities, two of which dated back to the year 1988. Now as we approach the end of October, three more vulnerabilities have been made public.

CVE-2023-5367 is an out-of-bounds write within the XIChangeDeviceProperty/RRChangeOutputProperty where memcpy() can end up writing into memory outside of the heap-allocated array. CVE-2023-5380 is for a use-after-free within DestroyWindow. The latter vulnerability only affects multi-monitor "Zaphod" mode setups. The third is CVE-2023-5574 and is another use-after-free bug, this time within DamageDestroy and also affecting multi-head Zaphod mode setups.

X.Org Server 21.1.9 and XWayland 23.2.2 were released today with the X.Org patches to address these out-of-bounds and use-after-free errors. These three CVEs come as a result of the Trend Micro Zero Day Initiative where they have also uncovered many other X.Org vulnerabilities over prior years.