CVE-2021-3782

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3782
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3782.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-3782
Related
Published
2022-09-23T16:15:10Z
Modified
2024-06-05T01:03:58.893724Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
[none]
Details

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wlshm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wlshm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.

References

Affected packages

Git / gitlab.freedesktop.org/wayland/wayland

Affected ranges

Type
GIT
Repo
https://gitlab.freedesktop.org/wayland/wayland
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.94.90
0.95.0
0.99.0

1.*

1.0.0
1.0.1
1.0.90
1.1.0
1.1.91
1.10.0
1.10.91
1.10.92
1.10.93
1.11.0
1.11.91
1.11.92
1.11.93
1.11.94
1.12.0
1.12.91
1.12.92
1.12.93
1.13.0
1.13.91
1.13.92
1.13.93
1.14.0
1.14.91
1.14.92
1.14.93
1.15.0
1.15.91
1.15.92
1.15.93
1.15.94
1.16.0
1.16.91
1.16.92
1.16.93
1.17.0
1.17.91
1.17.92
1.17.93
1.18.0
1.18.91
1.18.92
1.18.93
1.19.0
1.19.91
1.19.92
1.19.93
1.2.0
1.2.91
1.2.92
1.20.0
1.3.0
1.3.91
1.3.92
1.3.93
1.4.0
1.4.91
1.4.92
1.4.93
1.5.0
1.5.91
1.5.92
1.5.93
1.6.0
1.6.91
1.6.92
1.6.93
1.7.0
1.7.91
1.7.92
1.7.93
1.8.0
1.8.91
1.8.92
1.8.93
1.9.0
1.9.91
1.9.92
1.9.93