High severity7.7NVD Advisory· Published Mar 16, 2025· Updated Apr 15, 2026

CVE-2022-49737

Description

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

Patches

dc7cb45482ce

https://gitlab.freedesktop.org/xorg/xservervia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugs.debian.org/cgi-bin/bugreport.cginvd
bugs.debian.org/cgi-bin/bugreport.cginvd
gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0nvd
gitlab.freedesktop.org/xorg/xserver/-/issues/1260nvd

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000