CVE-2023-5574: 
TigerVNC vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-5574) was discovered in xorg-x11-server-Xvfb, specifically affecting systems with a legacy multi-screen setup using multiple protocol screens (Zaphod mode). The vulnerability was discovered in October 2023 and affects X.Org X server versions from 1.13.0 onwards (Xorg Announce). The issue received a CVSS v3.1 base score of 7.0 (HIGH) (NVD).

The vulnerability occurs due to improper handling of screen cleanup in the fb module. The module hardcoded the cleanup path for the screen pixmap instead of calling into the next layer of the stack. While a patch in server 1.13 attempted to fix a minor memory leak, it failed to remove all references to the freed pixmap, resulting in a use-after-free condition during screen cleanup in a lower module. The issue is triggered when the pointer is warped from screen 1 to screen 0 and specifically requires a multi-screen setup with Zaphod mode configuration (Xorg Announce).

When successfully exploited, this vulnerability could lead to privilege escalation or denial of service. The impact is particularly concerning for systems using the specific legacy configuration of Xvfb with multiple protocol screens. The vulnerability can be triggered during shutdown or reset of the Xvfb server (Red Hat).

As of the initial disclosure, no complete fix was available due to issues with the proposed fixes. The patches had to be dropped just before disclosure because they exposed issues in other, more commonly used components. The fixes are being tracked through a merge request at the X.Org GitLab repository (Bugzilla).