CVE-2024-9632: 
TigerVNC vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2024-9632) was discovered in the X.org server's _XkbSetCompatMap function. The vulnerability was identified by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative and affects the X server and Xwayland implementations (OSS Security, Debian LTS).

The vulnerability stems from improper allocation size tracking in _XkbSetCompatMap function, where it updates 'num_si' without updating 'size_si'. The flaw allows an attacker to trigger a buffer overflow condition via a specially crafted payload. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to local privilege escalation in distributions where the X.org server is run with root privileges, or remote code execution in environments using X11 forwarding over SSH. The exploit is particularly effective when using VBoxVGA graphic controller in VirtualBox, though it doesn't work under VMware and default VirtualBox configurations (Red Hat Bugzilla).

Multiple vendors have released security updates to address this vulnerability. Red Hat has released fixes across multiple versions of RHEL through security advisories. Debian has addressed the issue in version 2:1.20.11-1+deb11u14 for Debian 11 (Bullseye). Users are strongly advised to upgrade their xorg-server packages to the latest patched versions (Debian LTS, Red Hat).