Xorg-x11-server: use-after-free bug in destroywindow
Summary
| CVE | CVE-2023-5380 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-25 20:15:18 UTC |
| Updated | 2026-06-23 18:17:37 UTC |
| Description | A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. |
Risk And Classification
Primary CVSS: v3.1 4.7 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.007150000 probability, percentile 0.490870000 (date 2026-06-28)
Problem Types: CWE-416 | CWE-416 Use After Free
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 12.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Operating System | Fedoraproject | Fedora | 38 | All | All | All |
| Operating System | Fedoraproject | Fedora | 39 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 9.0 | All | All | All |
| Application | X.org | Xwayland | All | All | All | All |
| Application | X.org | X Server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 7 | unaffected 0:1.8.0-26.el7_9 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | unaffected 0:1.20.11-22.el8 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | unaffected 0:1.13.1-8.el8 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:1.20.11-24.el9 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:1.13.1-8.el9 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.debian.org/debian-lts-announce/2023/10/msg00036.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| X.Org X Server, XWayland: Multiple Vulnerabilities (GLSA 202401-30) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| 2244736 – (CVE-2023-5380) CVE-2023-5380 xorg-x11-server: Use-after-free bug in DestroyWindow | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking |
| access.redhat.com/errata/RHSA-2024:3067 | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| cve-details | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Third Party Advisory |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| access.redhat.com/errata/RHSA-2023:7428 | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Third Party Advisory |
| X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 | af854a3a-2127-422b-91ae-364da2661108 | lists.x.org | Patch, Vendor Advisory |
| [SECURITY] Fedora 38 Update: tigervnc-1.13.1-6.fc38 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| access.redhat.com/errata/RHSA-2024:2995 | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| security.netapp.com/advisory/ntap-20231130-0004 | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | |
| access.redhat.com/errata/RHSA-2024:2298 | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| access.redhat.com/errata/RHSA-2024:2169 | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| [SECURITY] Fedora 39 Update: xorg-x11-server-1.20.14-26.fc39 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Debian -- Security Information -- DSA-5534-1 xorg-server | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| [SECURITY] Fedora 38 Update: xorg-x11-server-1.20.14-26.fc38 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: xorg-x11-server-1.20.14-26.fc37 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2023-10-17T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2023-10-25T00:00:00.000Z | Made public. |
Legacy QID Mappings
- 161193 Oracle Enterprise Linux Security Update for tigervnc (ELSA-2023-7428)
- 199866 Ubuntu Security Notification for X.Org X Server Vulnerabilities (USN-6453-1)
- 199877 Ubuntu Security Notification for X.Org X Server Vulnerabilities (USN-6453-2)
- 242499 Red Hat Update for tigervnc (RHSA-2023:7428)
- 284686 Fedora Security Update for xorg (FEDORA-2023-1f4f1b8365)
- 284725 Fedora Security Update for xorg (FEDORA-2023-f111d2f306)
- 284729 Fedora Security Update for tigervnc (FEDORA-2023-dbacf5d9f6)
- 284745 Fedora Security Update for tigervnc (FEDORA-2023-4708733ccc)
- 285157 Fedora Security Update for tigervnc (FEDORA-2023-4bb75fa8f2)
- 285174 Fedora Security Update for xorg (FEDORA-2023-b88929bc79)
- 296108 Oracle Solaris 11.4 Support Repository Update (SRU) 66.164.1 Missing (CPUJAN2024)
- 356618 Amazon Linux Security Advisory for xorg-x11-server : ALAS2023-2023-404
- 356738 Amazon Linux Security Advisory for xorg-x11-server : ALAS2-2023-2335
- 356746 Amazon Linux Security Advisory for xorg-x11-server : ALAS-2023-1884
- 356991 Amazon Linux Security Advisory for xorg-x11-server : AL2012-2023-475
- 379276 Alibaba Cloud Linux Security Update for tigervnc (ALINUX2-SA-2023:0050)
- 503445 Alpine Linux Security Update for xorg-server
- 506278 Alpine Linux Security Update for xorg-server
- 6000255 Debian Security Update for xorg-server (DLA 3631-1)
- 6000298 Debian Security Update for xorg-server (DSA 5534-1)
- 673442 EulerOS Security Update for xorg-x11-server (EulerOS-SA-2024-1307)
- 673495 EulerOS Security Update for xorg-x11-server (EulerOS-SA-2024-1169)
- 673515 EulerOS Security Update for xorg-x11-server (EulerOS-SA-2024-1131)
- 673733 EulerOS Security Update for xorg-x11-server (EulerOS-SA-2024-1115)
- 691339 Free Berkeley Software Distribution (FreeBSD) Security Update for xorg (9e2fdfc7-e237-4393-9fa5-2d50908c66b3)
- 710847 Gentoo Linux X.Org X Server, XWayland Multiple Vulnerabilities (GLSA 202401-30)
- 755188 SUSE Enterprise Linux Security Update for xorg-x11-server (SUSE-SU-2023:4272-1)
- 755191 SUSE Enterprise Linux Security Update for xorg-x11-server (SUSE-SU-2023:4269-1)
- 755204 SUSE Enterprise Linux Security Update for xorg-x11-server (SUSE-SU-2023:4292-1)
- 755217 SUSE Enterprise Linux Security Update for xorg-x11-server (SUSE-SU-2023:4338-1)