Skip to content
Snippets Groups Projects
Commit 01642f26 authored by Olivier Fourdan's avatar Olivier Fourdan :tools:
Browse files

Cursor: Refuse to free the root cursor 


If a cursor reference count drops to 0, the cursor is freed.

The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.

Make sure to prevent the rootCursor from being explicitly freed by a
client.

CVE-2025-26594, ZDI-CAN-25544

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)

Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
Suggested-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
Part-of: <!1828>
parent 530e8037
No related branches found
No related tags found
1 merge request!1828Multiple CVE fixes
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment