CVE-2022-49737

low-risk
Published 2025-03-16

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

Do I need to act?

-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.7/10 High
NETWORK / HIGH complexity

References (5)

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hol...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338
https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0...
https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338
29
/ 100
low-risk
Severity 23/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal