{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-49737", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-17T16:07:13.541Z", "dateReserved": "2025-03-16T00:00:00.000Z", "datePublished": "2025-03-16T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "X server", "vendor": "X.org", "versions": [{"lessThanOrEqual": "21.1.16", "status": "affected", "version": "20.11", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-413", "description": "CWE-413 Improper Resource Locking", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-16T00:56:33.955Z"}, "references": [{"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338"}, {"url": "https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hold-input-lock-for-AttachDevice.patch;msg=5"}, {"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.11", "versionEndIncluding": "21.1.16"}]}]}]}, "adp": [{"references": [{"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T16:07:10.290860Z", "id": "CVE-2022-49737", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T16:07:13.541Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-49737", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-17T16:07:10.290860Z"}}}], "references": [{"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T16:06:52.663Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H"}}], "affected": [{"vendor": "X.org", "product": "X server", "versions": [{"status": "affected", "version": "20.11", "versionType": "custom", "lessThanOrEqual": "21.1.16"}], "defaultStatus": "unknown"}], "references": [{"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338"}, {"url": "https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hold-input-lock-for-AttachDevice.patch;msg=5"}, {"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-413", "description": "CWE-413 Improper Resource Locking"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "21.1.16", "versionStartIncluding": "20.11"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-16T00:56:33.955Z"}}}, "cveMetadata": {"cveId": "CVE-2022-49737", "state": "PUBLISHED", "dateUpdated": "2025-03-17T16:07:13.541Z", "dateReserved": "2025-03-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock."}, {"lang": "es", "value": "En el servidor X de X.Org (versi\u00f3n 20.11 a 21.1.16), cuando una aplicaci\u00f3n cliente usa easystroke para los gestos del rat\u00f3n, el hilo principal modifica diversas estructuras de datos utilizadas por el hilo de entrada sin adquirir un bloqueo (es decir, una condici\u00f3n de ejecuci\u00f3n). En particular, AttachDevice en dix/devices.c no adquiere un bloqueo de entrada."}], "id": "CVE-2022-49737", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.3, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-03-16T01:15:35.543", "references": [{"source": "cve@mitre.org", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hold-input-lock-for-AttachDevice.patch;msg=5"}, {"source": "cve@mitre.org", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338"}, {"source": "cve@mitre.org", "url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0"}, {"source": "cve@mitre.org", "url": "https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-413"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"created": "2025-07-12T22:01:08.879232+00:00", "updated": "2025-07-12T22:01:08.879321+00:00", "vendors": ["x.org", "x.org$PRODUCT$x_server"]}