An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.
NVD Severity
Other trackers
Mailing lists
GitHub (code, issues), Aports (code, issues)


Type URI

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:wayland:wayland:*:*:*:*:*:*:*:* wayland >= None < 1.20.91

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
wayland 3.16-main 1.20.0-r0 Valery Kartel <> possibly vulnerable
wayland 3.15-main 1.19.0-r1 Valery Kartel <> possibly vulnerable
wayland 3.14-main 1.19.0-r0 Valery Kartel <> possibly vulnerable
wayland 3.13-main 1.18.0-r5 Valery Kartel <> possibly vulnerable