CVE-2024-0409

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Published: Jan 18, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-0409
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
x.org / xwayland	-	23.2.4
tigervnc / tigervnc	-	1.13.1
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_for_scientific_computing	7.0	7.0.x
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	6.0	6.0.x
redhat / enterprise_linux_server	7.0	7.0.x
redhat / enterprise_linux_for_power_little_endian	7.0	7.0.x
redhat / enterprise_linux_for_power_big_endian	7.0	7.0.x
redhat / enterprise_linux_for_ibm_z_systems	7.0	7.0.x
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux	9.0	9.0.x
fedoraproject / fedora	39	39.x
x.org / x_server	-	21.1.11

Vulnerability Database

309,961

CVE-2024-0409

Deep Security Visibility Without the Complexity