{"id":"CVE-2024-0409","details":"A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.","modified":"2026-04-16T04:34:26.719365851Z","published":"2024-01-18T16:15:08.593Z","related":["ALSA-2024:2169","ALSA-2024:2170","ALSA-2024:2995","ALSA-2024:2996","CGA-4fw2-mmvj-28pg","SUSE-SU-2024:0165-1","SUSE-SU-2024:0212-1","SUSE-SU-2024:0236-1","SUSE-SU-2024:0249-1","SUSE-SU-2024:0251-1","SUSE-SU-2024:0252-1","openSUSE-SU-2024:13597-1","openSUSE-SU-2024:13598-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-30"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240307-0006/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0320"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2170"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2996"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2024-0409"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2169"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2995"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2257690"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tigervnc/tigervnc","events":[{"introduced":"0"},{"fixed":"20e4443f2d6d17ea90bd641c35fcb776c8341194"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.13.1"}]}}],"versions":["v0.0.90","v1.1.90","v1.12.90","v1.13.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-0409.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"21.1.11"}]},{"events":[{"introduced":"0"},{"fixed":"23.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"39"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}