An internal reference count is held on the buffer pool incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing a use-after-free can be constructed on the wl_shm_pool tracking structure where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.

...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

DEBIAN-CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

AZL-11019 CVE-2021-3782 affecting package wayland for versions less than 1.21.0-1

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

Design/Logic Flaw

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

CVE-2021-3782

Wayland vulnerable component: wl_shm and wl_shm_pool in the Wayland buffer handling. CVE-2021-3782 is a reference-count overflow on LP64 systems when objects are created from the buffer pool, which can lead to a use-after-free in the wl_shm_pool tracking structure and, in some cases, a limited or...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

OESA-2022-1920 wayland security update

Wayland is a protocol for a compositor to talk to its clients as well as a C library implementation of that protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Wayland vulnerability (USN-5614-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5614-1 advisory. It was discovered that Wayland incorrectly handled reference counting certain objects. An attacker could use this issue to cause Wayland t...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

UBUNTU-CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it...

PT-2021-8110 · Xwayland +9 · Xwayland +9

Name of the Vulnerable Software and Affected Versions: Wayland affected versions not specified Description: The issue is related to an integer overflow in the reference count of the buffer pool. This can occur when a large number of wl shm buffer objects are created or when the server is coerced...

jetty: double release of resource can lead to information disclosure

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this doub...