There are 7 open security issues in bookworm.
7 issues left for the package maintainer to handle:
- CVE-2023-5574:
(postponed; to be fixed through a stable update)
A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
- CVE-2022-49737:
(postponed; to be fixed through a stable update)
In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.
- CVE-2026-33999:
(needs triaging)
- CVE-2026-34000:
(needs triaging)
- CVE-2026-34001:
(needs triaging)
- CVE-2026-34002:
(needs triaging)
- CVE-2026-34003:
(needs triaging)
You can find information about how to handle these issues in the security team's documentation.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/x/xorg-server.png){kind=link}