CVE-2022-49737

CVE-2022-49737 is a race condition vulnerability in the X.Org X server versions 20.11 through 21.1.16. It occurs when a client application uses the easystroke tool for mouse gestures, during which the main thread modifies data structures used by the input thread without acquiring an input lock. Specifically, the AttachDevice function in dix/devices.c fails to acquire this lock, leading to potential concurrent access issues. The vulnerability is classified under CWE-413 (Logic Error) with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).

An attacker with low privileges (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation changes scope (S:C), allowing limited confidentiality and integrity impacts (C:L/I:L) alongside high availability impact (A:H), such as crashing the X server or disrupting input handling through manipulated device attachments.

Mitigation involves applying patches that ensure the input lock is held during AttachDevice operations, as detailed in the referenced Debian bug report (bug 1081338) and its attached patch (dix-Hold-input-lock-for-AttachDevice.patch). The upstream fix is committed in the X.Org X server GitLab repository at dc7cb45482cea6ccec22d117ca0b489500b4d0a0, addressing the issue reported in GitLab issue 1260. Security practitioners should update to patched X server versions beyond 21.1.16.