CVE-2025-49177: 
TigerVNC vulnerability analysis and mitigation

CVE-2025-49177 is a security vulnerability discovered in the XFIXES extension of the X.Org X Server, specifically affecting the XFixesSetClientDisconnectMode handler. The vulnerability was disclosed on June 17, 2025, and impacts various X.Org X Server implementations and Xwayland packages. The flaw allows unauthorized memory access from previous requests due to improper request length validation (NVD, Wiz).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. The flaw is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The technical issue stems from the XFixesSetClientDisconnectMode handler's failure to validate request lengths, which can lead to unauthorized memory access from previous requests (NVD).

When exploited, this vulnerability allows an attacker to read unintended memory from previous requests, potentially exposing sensitive information. The impact is primarily focused on confidentiality, with limited impact on system availability and no direct impact on integrity (Wiz).

Multiple vendors have released patches to address this vulnerability. Red Hat has released security updates through RHSA-2025:9304 and RHSA-2025:10258 for affected systems. Ubuntu has released fixes for versions 24.04 LTS, 24.10, and 25.04. Debian has also addressed this in their security update DSA-5947-1 with fixed versions available for various distributions (Red Hat Errata, Ubuntu).