CVE-2023-6816 Debian — Exploit & Vulnerability Details CRITICAL

Parameter	Value
CVSS	9.8 (CRITICAL)
Affected Versions	before 23.2.4
Fixed In	21.1.11
Type	CWE-787 (Out-of-bounds Write)
Vendor	Debian
Public PoC	No

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-787 Out-of-bounds Write

Vulnerable Products 7

Configuration	From (including)	Up to (excluding)
X.Org X_Server cpe:2.3:a:x.org:x_server::::::::	—	`21.1.11`
X.Org Xwayland cpe:2.3:a:x.org:xwayland::::::::	—	`23.2.4`
Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:39:::::::*	—	—
Redhat Enterprise_Linux_Desktop cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*	—	—
Redhat Enterprise_Linux_Server cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*	—	—
Redhat Enterprise_Linux_Workstation cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*	—	—
Debian Debian_Linux cpe:2.3:o:debian:debian_linux:10.0:::::::*	—	—

Menu

CVE-2023-6816

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 7

References 24

Related Vulnerabilities

CVE-2025-64512

CVE-2025-10934

CVE-2025-10922

CVE-2025-10921

CVE-2025-39737

CVE Details

Editor's Choice

Stay informed on cybersecurity