X.Org and Xwayland Out-of-Bounds Write Vulnerability in CreatePointerBarrierClient()

A vulnerability allowing out-of-bounds write has been identified in X.Org and Xwayland. The issue arises in the function GetBarrierDevice(), which retrieves a pointer device based on its device ID. If no match is found, the function is supposed to return NULL. However, the code incorrectly returns the last element of the list when no matching ID is found, leading to out-of-bounds memory access.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow an attacker to execute arbitrary code with elevated privileges.

Reproduction

The vulnerability can be reproduced by calling the GetBarrierDevice() function with a device ID that does not match any existing pointer device. This will trigger the function to return the last element of the device list, causing an out-of-bounds write.

Remediation

Users can apply the available update for this vulnerability. Instructions for updating can be found in the Red Hat Product Errata RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, RHSA-2025:2865, RHSA-2025:2873, RHSA-2025:2874, RHSA-2025:2875, RHSA-2025:7163, RHSA-2025:7165, and RHSA-2025:7458.