{"id":"CVE-2021-3782","details":"An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.","modified":"2026-04-16T04:40:10.933676144Z","published":"2022-09-23T16:15:10.143Z","related":["ALSA-2023:2786","SUSE-SU-2023:1860-1","SUSE-SU-2023:1864-1","SUSE-SU-2023:1873-1","SUSE-SU-2023:1874-1"],"references":[{"type":"FIX","url":"https://gitlab.freedesktop.org/wayland/wayland/-/issues/224"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/wayland/wayland","events":[{"introduced":"0"},{"fixed":"73d4d2410e2e0d0579bacc7f87d37bf4ec15cbbb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.20.91"}]}}],"versions":["0.94.90","0.95.0","0.99.0","1.0.0","1.0.1","1.0.90","1.1.0","1.1.91","1.10.0","1.10.91","1.10.92","1.10.93","1.11.0","1.11.91","1.11.92","1.11.93","1.11.94","1.12.0","1.12.91","1.12.92","1.12.93","1.13.0","1.13.91","1.13.92","1.13.93","1.14.0","1.14.91","1.14.92","1.14.93","1.15.0","1.15.91","1.15.92","1.15.93","1.15.94","1.16.0","1.16.91","1.16.92","1.16.93","1.17.0","1.17.91","1.17.92","1.17.93","1.18.0","1.18.91","1.18.92","1.18.93","1.19.0","1.19.91","1.19.92","1.19.93","1.2.0","1.2.91","1.2.92","1.20.0","1.3.0","1.3.91","1.3.92","1.3.93","1.4.0","1.4.91","1.4.92","1.4.93","1.5.0","1.5.91","1.5.92","1.5.93","1.6.0","1.6.91","1.6.92","1.6.93","1.7.0","1.7.91","1.7.92","1.7.93","1.8.0","1.8.91","1.8.92","1.8.93","1.9.0","1.9.91","1.9.92","1.9.93"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3782.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"}]}