{"containers": {"cna": {"affected": [{"product": "wayland", "vendor": "n/a", "versions": [{"status": "affected", "version": "wayland 1.20.91"}]}], "descriptions": [{"lang": "en", "value": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "(CWE-190|CWE-911)->CWE-416", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T15:26:59", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3782", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "wayland", "version": {"version_data": [{"version_value": "wayland 1.20.91"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "(CWE-190|CWE-911)->CWE-416"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224", "refsource": "MISC", "url": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:08.931Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3782", "datePublished": "2022-09-23T15:26:59", "dateReserved": "2021-09-09T00:00:00", "dateUpdated": "2024-08-03T17:09:08.931Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wayland:wayland:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC4B9E35-B657-4E88-B131-E135C0E7F762", "versionEndExcluding": "1.20.91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time."}, {"lang": "es", "value": "Se mantiene un recuento interno de referencias en el pool de buffers, que es incrementado cada vez que es creado un nuevo buffer desde el pool. El recuento de referencias es mantenido como un int; en sistemas LP64 esto puede causar que el recuento de referencias sea desbordado si el cliente crea un gran n\u00famero de objetos de b\u00fafer wl_shm, o si puede coaccionar al servidor para que cree un gran n\u00famero de referencias externas al almacenamiento de b\u00faferes. Con el recuento de referencias desbordado, puede construirse un uso de memoria previamente liberada en la estructura de seguimiento de wl_shm_pool, donde los valores pueden ser incrementados o disminuidos; tambi\u00e9n puede ser posible construir un or\u00e1culo limitado para filtrar 4 bytes de memoria del lado del servidor al cliente atacante a la vez."}], "id": "CVE-2021-3782", "lastModified": "2023-11-07T03:38:15.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-23T16:15:10.143", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-190"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2786", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "wayland-0:1.21.0-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}], "bugzilla": {"description": "wayland: libwayland-server wl_shm reference-count overflow", "id": "2002627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2002627"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "(CWE-190|CWE-911)->CWE-416", "details": ["An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time."], "name": "CVE-2021-3782", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "wayland", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "wayland", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-07-30T16:05:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3782\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3782"], "threat_severity": "Moderate", "upstream_fix": "wayland 1.20.91"}