CRITICAL🇵🇱 Wersja polska

CVE-2023-45924

CVSS 9.8v3.1pub. 2024-03-27upd. 2026-04-15

libglxproto.c in OpenGL libglvnd bb06db5a was discovered to contain a segmentation violation via the function glXGetDrawableScreen(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.

🤖 AI Analysis
How it works

The bug is related to two classes of vulnerabilities: stack-based buffer overflow (CWE-121) and NULL pointer dereference (CWE-476). Calling the glXGetDrawableScreen() function with appropriately crafted data from a malicious server can lead to a process segmentation violation. The mechanism assumes that the attacker controls the OpenGL/X11 server to which a client using the vulnerable library connects.

Impact

An attacker controlling the server can cause a client application crash (denial of service) or potentially execute arbitrary code in the context of the client process. The high CVSS score (9.8) reflects theoretical maximum impact, however the actual risk is disputed by the project creators.

Mitigation & patch

Patches available from the vendor should be applied according to references — merge request no. 295 is available in the libglvnd project GitLab repository (gitlab.freedesktop.org/glvnd/libglvnd). The library should be updated to a version containing the fix.

Who is affected

OpenGL libglvnd library, revision bb06db5a (specific versions indicated in vendor references)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References