{"id":"CVE-2021-31535","details":"LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.","modified":"2026-04-02T06:53:27.695989Z","published":"2021-05-27T13:15:08.240Z","related":["ALSA-2021:4326","MGASA-2021-0219","SUSE-SU-2021:14748-1","SUSE-SU-2021:1765-1","SUSE-SU-2021:1766-1","SUSE-SU-2021:1892-1","SUSE-SU-2021:1897-1","openSUSE-SU-2021:0807-1","openSUSE-SU-2021:0857-1","openSUSE-SU-2021:1897-1","openSUSE-SU-2024:10918-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.x.org/archives/xorg-announce/2021-May/003088.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/May/52"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00021.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-16"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4920"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2021/05/18/3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/18/2"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210813-0001/"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2021/05/18/2"},{"type":"ADVISORY","url":"https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605"},{"type":"ADVISORY","url":"https://lists.freedesktop.org/archives/xorg/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.html"},{"type":"EVIDENCE","url":"https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/"},{"type":"EVIDENCE","url":"https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/xorg/lib/libX11","events":[{"introduced":"0"},{"fixed":"6953a586df4819143c4d55e011b3a5e5377981b8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.7.1"}]}},{"type":"GIT","repo":"https://gitlab.freedesktop.org/xorg/lib/libx11","events":[{"introduced":"0"},{"fixed":"8d2e02ae650f00c4a53deb625211a0527126c605"}]}],"versions":["CYGWIN-6_8_1-MERGE","CYGWIN-6_8_2-MERGE","CYGWIN-HEAD-LAST-MERGE","CYGWIN-PRE-6_8_0-MERGE","CYGWIN-RELEASE-1-MERGE","DAMAGE-XFIXES-BASE","IPv6-REVIEW-BASE","MODULAR_COPY","PRE_xf86-4_3_0_1","XACE-SELINUX-MERGE","XEVIE-BASE","XORG-6_7_99_1","XORG-6_7_99_2","XORG-6_7_99_902","XORG-6_7_99_903","XORG-6_8_1","XORG-6_8_1_902","XORG-6_8_1_903","XORG-6_8_1_904","XORG-6_8_99_10","XORG-6_8_99_13","XORG-6_8_99_14","XORG-6_8_99_15","XORG-6_8_99_6","XORG-6_8_99_7","XORG-6_8_99_9","XORG-6_8_99_900","XORG-6_8_99_901","XORG-6_8_99_902","XORG-6_8_99_903","XORG-6_99_99_900","XORG-6_99_99_901","XORG-6_99_99_902","XORG-6_99_99_903","XORG-6_99_99_904","XORG-CURRENT-CLOSED","XORG-CURRENT-premerge-release-1","XORG-MAIN","XORG-RELEASE-1-BASE","XORG-RELEASE-1-STSF-FORK","XORG-RELEASE-1-TM-BASE","XORG-RELEASE-1-TM-MERGE","XORG-TM-CYGWIN-LAST-MERGE","XPRINT_BASE","XPRINT_BEGIN","lg3d-rel-0-6-2","lg3d-rel-0-7-0","libX11-1.0.99.1","libX11-1.0.99.2","libX11-1.1","libX11-1.1-RC1","libX11-1.1-RC2","libX11-1.1.1","libX11-1.1.2","libX11-1.1.3","libX11-1.1.4","libX11-1.1.5","libX11-1.1.6","libX11-1.1.99.2","libX11-1.2","libX11-1.2.1","libX11-1.2.2","libX11-1.2.99.901","libX11-1.3","libX11-1.3.1","libX11-1.3.2","libX11-1.3.3","libX11-1.3.4","libX11-1.3.5","libX11-1.3.6","libX11-1.3.99.901","libX11-1.3.99.902","libX11-1.3.99.903","libX11-1.4.0","libX11-1.4.1","libX11-1.4.2","libX11-1.4.3","libX11-1.4.4","libX11-1.4.99.1","libX11-1.4.99.901","libX11-1.4.99.902","libX11-1.5.0","libX11-1.5.99.901","libX11-1.5.99.902","libX11-1.6.0","libX11-1.6.1","libX11-1.6.10","libX11-1.6.11","libX11-1.6.12","libX11-1.6.2","libX11-1.6.3","libX11-1.6.4","libX11-1.6.5","libX11-1.6.6","libX11-1.6.7","libX11-1.6.8","libX11-1.6.9","libX11-1.7.0","libX11-1_0_1","libX11-1_0_2","libX11-1_0_3","rel-0-6-1","xf86-012804-2330","xf86-4_3_99_16","xf86-4_3_99_901","xf86-4_3_99_902","xf86-4_3_99_903","xf86-4_3_99_903_special","xf86-4_4_0","xf86-4_4_99_1"],"database_specific":{"vanir_signatures":[{"digest":{"length":1204,"function_hash":"194779545851206938191317774910667006767"},"target":{"function":"XLookupColor","file":"src/LookupCol.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-03c4294d"},{"digest":{"length":805,"function_hash":"57596708029533598651365206010640559677"},"target":{"function":"XStoreNamedColor","file":"src/StNColor.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-06c7a3b3"},{"digest":{"threshold":0.9,"line_hashes":["50740766647139537254525501348017655566","191720514066239136195297291948358165596","236735166600612026233734810992458744372","175250586613470016533022889582037947246","15820597583791618870090057761206061612","323884454437786854138380526354199915375"]},"target":{"file":"src/SetFPath.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-06ff8958"},{"digest":{"length":560,"function_hash":"339492935456616761875859918177051278716"},"target":{"function":"XSetClassHint","file":"src/SetHints.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-0ed22727"},{"digest":{"length":1283,"function_hash":"272229315376601560145787171691278513077"},"target":{"function":"XAllocNamedColor","file":"src/GetColor.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-1452889a"},{"digest":{"threshold":0.9,"line_hashes":["16257440484568987506901834172546690453","29592823987098147533264154119221098212","150231721246991869990294808332596117824","277939570852743938313382357778705813908","23540310715949143903583714386511684886","41702074481376957366942239806873386079","301186063222482847227854460083028620096"]},"target":{"file":"src/Font.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-174c0404"},{"digest":{"length":578,"function_hash":"3273904504419152404817559787134880597"},"target":{"function":"XQueryExtension","file":"src/QuExt.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-17f9abb4"},{"digest":{"length":690,"function_hash":"141049300835485479325261718068060773376"},"target":{"function":"XSetStandardProperties","file":"src/SetHints.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-1bc3c9c8"},{"digest":{"threshold":0.9,"line_hashes":["262504001726064536913730362978503461039","21668516314201488491497005893235019520","36409840772859001858509127713312563951","121881950064672761746840297912490311066","313441283645575752615977181693896599727","28234959273533793541662092506365956772","79396196360508823037340879876919941591"]},"target":{"file":"src/ParseCol.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-2ce993a7"},{"digest":{"length":1286,"function_hash":"93291342007330628588149580812011790579"},"target":{"function":"_XF86LoadQueryLocaleFont","file":"src/Font.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-30877076"},{"digest":{"length":601,"function_hash":"24684718490872317656076989888444743713"},"target":{"function":"XSetCommand","file":"src/SetHints.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-3311e1dc"},{"digest":{"threshold":0.9,"line_hashes":["183540688237464359359532939193636150510","208313404388619166471369205993232785091","321610926566339078421915125242385029692"]},"target":{"file":"src/FontNames.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-3c5cab0b"},{"digest":{"length":467,"function_hash":"22089373937851375930563966087998802849"},"target":{"function":"XLoadFont","file":"src/LoadFont.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-46f466a4"},{"digest":{"threshold":0.9,"line_hashes":["31863458945747855404031146347807020032","68961041533426996369863547461183352412","274053626768630293049051151122532135454","296874047534542534430039836340292501045","93929287736250484024689755957198032316","225080581754741922607453415960086415678","3073408934216278589773249814016384519","100731358177687282697573601294506188442","193296163577986555494456534927255038395","288803370994506060175970321761736290351","279794168693008621650904745261952586639","236622881049090339554616567627678831237","177867807698317477636841312789999896209","102973379653873905648734011320756338553"]},"target":{"file":"src/SetHints.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-545aeb71"},{"digest":{"length":247,"function_hash":"30583031230923752344114699184738534690"},"target":{"function":"XSetIconName","file":"src/StName.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-5af3990e"},{"digest":{"threshold":0.9,"line_hashes":["262504001726064536913730362978503461039","21668516314201488491497005893235019520","36409840772859001858509127713312563951","158614489178553825387838154785007706854","268358346475244183936174525433343488558","207217743611472631402677607440911295277","8086225728994918271076276047011540756","296162282267076243929351581204304500884","44473234487433654380309193110288885415","167551788482031049547736823666537207774"]},"target":{"file":"src/LookupCol.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-5df119da"},{"digest":{"threshold":0.9,"line_hashes":["262504001726064536913730362978503461039","21668516314201488491497005893235019520","36409840772859001858509127713312563951","318148898277984628551132884954917923508","230272514686543693188884383879003345375","223308178260587010079595248684064479913"]},"target":{"file":"src/StNColor.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-60990db3"},{"digest":{"threshold":0.9,"line_hashes":["262504001726064536913730362978503461039","21668516314201488491497005893235019520","36409840772859001858509127713312563951","291984676250480342888077324157364398308","24052841096178241101704599061165452902","27834934316003449013620342270320311669"]},"target":{"file":"src/GetColor.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-67d32a13"},{"digest":{"threshold":0.9,"line_hashes":["31863458945747855404031146347807020032","101914556914327229503050354764631718102","152408753156262496763212019825099333887","283196058586486498443714268776973736929","235435633057246815498807168805364311883","58183659154948519433500447108239486021","267561276077180045214993981380397376757","217967526014509531600795984379562621271","9603444088893844832578168139879830558","150625911743021074390256788328171439261","156715389106347318133217079548016383261"]},"target":{"file":"src/StName.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-76867870"},{"digest":{"threshold":0.9,"line_hashes":["80129333695779641381576002661036683501","26784690429517856576801970640465559669","282982041665519749977830514767598380425"]},"target":{"file":"src/FontInfo.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-7cd24872"},{"digest":{"length":1835,"function_hash":"226579109019714700817799452827862392636"},"target":{"function":"XParseColor","file":"src/ParseCol.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-8a339271"},{"digest":{"length":242,"function_hash":"124867819081785719348192357474512710152"},"target":{"function":"XStoreName","file":"src/StName.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-8e3196fe"},{"digest":{"threshold":0.9,"line_hashes":["50740766647139537254525501348017655566","312886974931123872537107090712557873142","146620374490523123600052805197895021536","286742250289382630656494368908146052234","319156673997211742746296553108985673051","236432169601576487340315636149580793967"]},"target":{"file":"src/LoadFont.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-8e895452"},{"digest":{"length":752,"function_hash":"66997949985231049690069052670410082328"},"target":{"function":"XLoadQueryFont","file":"src/Font.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-a1f9ebe0"},{"digest":{"length":814,"function_hash":"23833505750581235338172880099508340313"},"target":{"function":"XSetFontPath","file":"src/SetFPath.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-aa34eb7a"},{"digest":{"threshold":0.9,"line_hashes":["50740766647139537254525501348017655566","183139958355928770822938698230453995145","104823369486760063538283238423342242650","277481263869901368836241285052202953257","169237578015176389816573232424913306841","121814899006143998207976236184720190911"]},"target":{"file":"src/QuExt.c"},"signature_type":"Line","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-c0457bdd"},{"digest":{"length":3461,"function_hash":"145508344740012304412853084065860036813"},"target":{"function":"XListFontsWithInfo","file":"src/FontInfo.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-c1534411"},{"digest":{"length":1468,"function_hash":"316840535811024662384818677316901887693"},"target":{"function":"XListFonts","file":"src/FontNames.c"},"signature_type":"Function","source":"https://gitlab.freedesktop.org/xorg/lib/libx11@8d2e02ae650f00c4a53deb625211a0527126c605","signature_version":"v1","deprecated":false,"id":"CVE-2021-31535-c2481a39"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"x11r7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31535.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}