Trend Micro Uncovers Yet Another X.Org Server Vulnerability: CVE-2023-1393
![X.ORG](/assets/categories/xorg.webp)
CVE-2023-1393 is a use-after-free vulnerability where it could lead to local privilege escalation if the xorg-server is still running as root and remote code execution for SSH X forwarding sessions.
If a client explicitly destroys the compositor overlay window, the X.Org Server leaves a dangling pointer to that window and will trigger a use-after-free later on.
The disclosure was made a few minutes ago on the mailing list.
The two-line fix was made to the X.Org Server Git codebase and will be incorporated into the next xorg-server release. Fortunately at least many are able to run the X.Org Server without root privileges in recent years though some still do not, particularly on some other non-Linux X.Org Server environments.
305 Comments