CVE-2022-49737

Summary

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

Affected Software

VendorProductVersion RangeStatus
X.orgX server20.11 <= 21.1.16affected

Weaknesses

  • CWE-413: CWE-413 Improper Resource Locking

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References