CVE-2025-49177: Xorg/TigerVNC Data Leak Exposes Sensitive Information on Red Hat Systems

A data leak vulnerability, identified as CVE-2025-49177, has been discovered in the XFIXES extension of Xorg-x11-server and TigerVNC. This flaw can allow a local user to potentially expose sensitive information from previous requests on vulnerable Red Hat Enterprise Linux systems. Read on to understand the details of this vulnerability, its potential impact, and recommended steps to mitigate the risk.

Vulnerability Details

• CVE ID: CVE-2025-49177
• Description: The XFixesSetClientDisconnectMode handler in the XFIXES extension does not properly validate the request length. This allows a malicious client to read unintended memory from previous requests, potentially exposing sensitive information.
• CVSS Score: 5.5 (Medium)
• CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• CVSS Explanation: This vulnerability has a CVSS score of 5.5, indicating a medium severity. The attack vector is local (AV:L), meaning an attacker needs local access to the system. The attack complexity is low (AC:L), meaning the exploit is relatively easy to execute. Low privileges are required (PR:L), and there is no user interaction (UI:N). The primary impact is on confidentiality (C:H), meaning an attacker could gain access to sensitive information, but there is no impact on integrity or availability.
• Exploit Requirements: Local access to a vulnerable system with the ability to send XFIXES extension requests.
• Affected Vendor: Red Hat
• Affected Products: Red Hat Enterprise Linux 6, 7, 8, and 9 with affected versions of xorg-x11-server, xorg-x11-server-Xwayland, and tigervnc.
• Affected Versions: Refer to Red Hat Security Advisory RHSA-2025:9304 for specific affected versions.
• CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• CWE Explanation: CWE-200 describes a vulnerability where an application inadvertently exposes sensitive information, such as passwords, API keys, or other confidential data, to an unauthorized actor. In this case, the flaw in the XFIXES extension allows an attacker to read memory that they should not have access to, potentially revealing such sensitive information.

Timeline of Events

• 2025-06-03: Reported to Red Hat.
• 2025-06-17: Vulnerability publicly disclosed.
• 2025-06-17: Red Hat Security Advisory RHSA-2025:9304 Released.

Exploitability & Real-World Risk

While the exploit requires local access, the potential impact of this vulnerability is significant. In shared environments, such as virtual machines or containerized setups, a compromised user could potentially use this flaw to gain access to sensitive information belonging to other users or the system itself. The vulnerability could be exploited to steal credentials, configuration files, or other sensitive data. Although the attack complexity is low, successful exploitation depends on the attacker's ability to craft specific XFIXES requests and analyze the leaked memory for useful information.

Recommendations

• Apply the Patch: The most effective solution is to apply the security patches provided by Red Hat. Refer to Red Hat Security Advisory RHSA-2025:9304 for specific instructions.
• Restrict Local Access: Limit local access to systems where possible. Use strong passwords and multi-factor authentication.
• Monitor System Logs: Monitor system logs for suspicious activity related to Xorg-x11-server and TigerVNC.

Technical Insight

The vulnerability stems from a lack of input validation in the XFixesSetClientDisconnectMode handler. This handler is responsible for setting the disconnect mode for a client using the XFIXES extension. The handler does not properly check the length of the request, allowing an attacker to send a request that is larger than expected. This causes the handler to read memory beyond the intended buffer, potentially exposing sensitive information from previous requests.

Credit to Researcher(s)

Red Hat would like to thank Julian Suleder and Nils Emmerich for reporting this issue.

References

• CVE-2025-49177
• RHSA-2025:9304
• RHBZ#2369955

Tags

CVE-2025-49177 Xorg TigerVNC Red Hat Data Leak Security Vulnerability XFIXES Information Disclosure RHEL

Summary: A data leak vulnerability (CVE-2025-49177) exists in the XFIXES extension of Xorg-x11-server and TigerVNC, potentially allowing a local user to expose sensitive information on Red Hat Enterprise Linux systems. Apply the provided patches and restrict local access to mitigate this risk.

CVE ID: CVE-2025-49177

Risk Analysis: Successful exploitation could allow an attacker to steal credentials, configuration files, or other sensitive data, potentially leading to further compromise of the system or network.

Recommendation: Apply the security patches provided by Red Hat (RHSA-2025:9304). Restrict local access to systems and monitor system logs for suspicious activity.

Timeline

• 2025-06-03: Reported to Red Hat.
• 2025-06-17: Vulnerability publicly disclosed.

References

• https://access.redhat.com/errata/RHSA-2025:9304
• https://access.redhat.com/security/cve/CVE-2025-49177
• https://bugzilla.redhat.com/show_bug.cgi?id=2369955