Veracode Vulnerability DatabaseVERACODE:45102Improper Neutralization Of Null Byte Or NUL Character
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
X.Org server is vulnerable to Improper Neutralization Of Null Byte Or NUL Character. The vulnerability is caused due to GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client tries to access the buffer , the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL leading to Denial Of Service (DOS).
References
access.redhat.com/errata/RHSA-2024:0320
access.redhat.com/errata/RHSA-2024:2169
access.redhat.com/errata/RHSA-2024:2170
access.redhat.com/errata/RHSA-2024:2995
access.redhat.com/errata/RHSA-2024:2996
access.redhat.com/security/cve/CVE-2024-0408
bugzilla.redhat.com/show_bug.cgi?id=2257689
lists.debian.org/debian-lts-announce/2024/01/msg00016.html
lists.fedoraproject.org/archives/list/[email protected]/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/
lists.fedoraproject.org/archives/list/[email protected]/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/
lists.fedoraproject.org/archives/list/[email protected]/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/
security-tracker.debian.org/tracker/CVE-2024-0408
security.gentoo.org/glsa/202401-30
security.netapp.com/advisory/ntap-20240307-0006/
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%