CVE-2025-49180
Publication date 17 June 2025
Last updated 18 June 2025
Ubuntu priority
A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| xorg | 25.04 plucky |
Not affected
|
| 24.10 oracular |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| xorg-hwe-16.04 | 25.04 plucky | Not in release |
| 24.10 oracular | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| xorg-hwe-18.04 | 25.04 plucky | Not in release |
| 24.10 oracular | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| xorg-server | 25.04 plucky |
Fixed 2:21.1.16-1ubuntu1.1
|
| 24.10 oracular |
Fixed 2:21.1.13-2ubuntu1.4
|
|
| 24.04 LTS noble |
Fixed 2:21.1.12-1ubuntu1.4
|
|
| 22.04 LTS jammy |
Fixed 2:21.1.4-2ubuntu1.7~22.04.15
|
|
| 20.04 LTS focal |
Fixed 2:1.20.13-1ubuntu1~20.04.20+esm1
|
|
| 18.04 LTS bionic |
Fixed 2:1.19.6-1ubuntu4.15+esm13
|
|
| 16.04 LTS xenial |
Fixed 2:1.18.4-0ubuntu0.12+esm18
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| xorg-server-hwe-16.04 | 25.04 plucky | Not in release |
| 24.10 oracular | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Fixed 2:1.19.6-1ubuntu4.1~16.04.6+esm10
|
|
| xorg-server-hwe-18.04 | 25.04 plucky | Not in release |
| 24.10 oracular | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Fixed 2:1.20.8-2ubuntu2.2~18.04.11+esm5
|
|
| xwayland | 25.04 plucky |
Fixed 2:24.1.6-1ubuntu0.1
|
| 24.10 oracular |
Fixed 2:24.1.2-1ubuntu0.6
|
|
| 24.04 LTS noble |
Fixed 2:23.2.6-1ubuntu0.6
|
|
| 22.04 LTS jammy |
Fixed 2:22.1.1-1ubuntu0.19
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
xorg server is actually the xorg-server package the xorg package only contains docs xwayland package contains parts of xorg-server
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7573-2
- X.Org X Server vulnerabilities
- 18 June 2025
- USN-7573-1
- X.Org X Server vulnerabilities
- 17 June 2025