CVE-2025-49179: Xorg-x11-server-xwayland: xorg-x11-server: tigervnc: integer overflow in x record extension
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
Security readout for executives and security teams
Plain-English summary
CVE-2025-49179 is a high-severity flaw in the X Record extension used by Xorg/Xwayland and TigerVNC packages. A logged-in local client can bypass request length checks through an integer overflow. The source data indicates high confidentiality and availability impact, but does not show confirmed active exploitation.
Executive priority
Handle through an accelerated patch cycle for affected Linux graphical and VNC systems. It is not shown as internet-scale or actively exploited in the supplied sources, but the potential confidentiality and availability impact justifies high priority in shared-user environments.
Technical view
RecordSanityCheckRegisterClients fails to check integer overflow while computing request length. That can let a client bypass length validation in the X Record extension. The CVSS vector is local, low complexity, low privileges, no user interaction, with high confidentiality and availability impact.
Likely exposure
Exposure is most likely on affected Red Hat Enterprise Linux systems with xorg-x11-server, xorg-x11-server-Xwayland, or tigervnc installed, especially shared graphical desktops, VNC environments, and systems where untrusted local users can start X clients.
Exploitation context
The provided data does not identify public exploit code or active exploitation, and KEV is false. The attack requires local client access with low privileges, so the practical risk rises in multi-user Linux, remote desktop, lab, and shared administrative environments.
Researcher notes
Evidence is strongest for Red Hat-packaged xorg-x11-server, Xwayland, and TigerVNC. The bundle lists X.Org xwayland defaultStatus as unaffected, while many Red Hat package builds are affected. Do not infer other distributions or exploitability beyond the supplied sources.
Mitigation direction
Apply the relevant Red Hat security advisories for affected packages.
Prioritize shared Linux desktops, VNC hosts, and systems with untrusted local users.
Update xorg-x11-server, xorg-x11-server-Xwayland, and tigervnc where affected.
If patches are unavailable, check Red Hat guidance for supported compensating controls.
Limit graphical or VNC access to trusted users until remediation is complete.
Validation and detection
Inventory installed Xorg, Xwayland, and TigerVNC package versions.
Compare installed versions with the CVE record and applicable RHSA advisories.
Confirm updated packages are installed on affected RHEL releases and add-ons.
Identify systems offering shared graphical sessions or TigerVNC access.
Track vendor advisory updates because affected-product evidence may change.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-190: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.