The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, it didn't update its size properly. It updated `num_si` only, without `size_si`: https://gitlab.freedesktop.org/xorg/xserver/-/blob/cdb4d5648a818a8e8ab282341be37109589229ab/xkb/xkb.c#L2998 The exploit uses bitmap to achieve the arbitrary read and write. It leads to LPE for some distributions (xorg in debian xfce is run as root under specific display driver) and RCE for ssh x11 forwarding environment. The exploit doesn't work if the OS installed on vmware and default virtualbox. It works on virtualbox with VBoxVGA graphic controller.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8798 https://access.redhat.com/errata/RHSA-2024:8798
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:9540 https://access.redhat.com/errata/RHSA-2024:9540
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:9579 https://access.redhat.com/errata/RHSA-2024:9579
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:9601 https://access.redhat.com/errata/RHSA-2024:9601
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:9690 https://access.redhat.com/errata/RHSA-2024:9690
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:9818 https://access.redhat.com/errata/RHSA-2024:9818
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:9820 https://access.redhat.com/errata/RHSA-2024:9820
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:9819 https://access.redhat.com/errata/RHSA-2024:9819
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:9816 https://access.redhat.com/errata/RHSA-2024:9816
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:9901 https://access.redhat.com/errata/RHSA-2024:9901
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:10090 https://access.redhat.com/errata/RHSA-2024:10090
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7163 https://access.redhat.com/errata/RHSA-2025:7163
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7165 https://access.redhat.com/errata/RHSA-2025:7165
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7458 https://access.redhat.com/errata/RHSA-2025:7458