Memory Read Flaw in XFIXES Extension for Affected Products
CVE-2025-49177

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 17 June 2025

What is CVE-2025-49177?

A flaw exists in the XFIXES extension, where the XFixesSetClientDisconnectMode handler fails to properly validate the length of requests. This oversight allows a potential attacker to exploit the vulnerability, enabling them to access unintended memory from previous requests. Such an exploit could result in the exposure of sensitive information, leading to potential data breaches and compromised system integrity.

References

https://access.redhat.com/security/cve/CVE-2025-49177

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2369955

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Jun 3, 2025

Credit

Red Hat would like to thank Julian Suleder and Nils Emmerich for reporting this issue.