{"id":"MGASA-2022-0418","summary":"Updated wayland packages fix security vulnerability","details":"An internal reference count is held on the buffer pool, incremented every\ntime a new buffer is created from the pool. The reference count is\nmaintained as an int; on LP64 systems this can cause the reference count\nto overflow if the client creates a large number of wl_shm buffer objects,\nor if it can coerce the server to create a large number of external\nreferences to the buffer storage. With the reference count overflowing, a\nuse-after-free can be constructed on the wl_shm_pool tracking structure,\nwhere values may be incremented or decremented; it may also be possible to\nconstruct a limited oracle to leak 4 bytes of server-side memory to the\nattacking client at a time. (CVE-2021-3782)\n","modified":"2026-04-16T04:42:48.033802804Z","published":"2022-11-13T02:25:20Z","upstream":["CVE-2021-3782"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0418.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30855"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5614-1"}],"affected":[{"package":{"name":"wayland","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/wayland?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.18.0-3.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0418.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}