CVE-2021-3782

Name
CVE-2021-3782
Description
An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://gitlab.freedesktop.org/wayland/wayland/-/issues/224

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:wayland:wayland:*:*:*:*:*:*:*:* wayland >= None < 1.20.91

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
wayland 3.16-main 1.20.0-r0 Valery Kartel <valery.kartel@gmail.com> possibly vulnerable
wayland 3.15-main 1.19.0-r1 Valery Kartel <valery.kartel@gmail.com> possibly vulnerable
wayland 3.14-main 1.19.0-r0 Valery Kartel <valery.kartel@gmail.com> possibly vulnerable
wayland 3.13-main 1.18.0-r5 Valery Kartel <valery.kartel@gmail.com> possibly vulnerable