High severity7.8NVD Advisory· Published Feb 28, 2024· Updated Apr 15, 2026

CVE-2024-21885

Description

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2024:0320nvd
access.redhat.com/errata/RHSA-2024:0557nvd
access.redhat.com/errata/RHSA-2024:0558nvd
access.redhat.com/errata/RHSA-2024:0597nvd
access.redhat.com/errata/RHSA-2024:0607nvd
access.redhat.com/errata/RHSA-2024:0614nvd
access.redhat.com/errata/RHSA-2024:0617nvd
access.redhat.com/errata/RHSA-2024:0621nvd
access.redhat.com/errata/RHSA-2024:0626nvd
access.redhat.com/errata/RHSA-2024:0629nvd
access.redhat.com/errata/RHSA-2024:2169nvd
access.redhat.com/errata/RHSA-2024:2170nvd
access.redhat.com/errata/RHSA-2024:2995nvd
access.redhat.com/errata/RHSA-2024:2996nvd
access.redhat.com/errata/RHSA-2025:12751nvd
access.redhat.com/security/cve/CVE-2024-21885nvd
bugzilla.redhat.com/show_bug.cginvd
lists.debian.org/debian-lts-announce/2024/01/msg00016.htmlnvd
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/nvd
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/nvd
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/nvd
security.netapp.com/advisory/ntap-20240503-0004/nvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000