DEBIAN-CVE-2017-2624

DEBIAN-CVE-2017-2624 PUBLISHED CVSS 7 HIGH

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Risk Scores

CVSS v3.0

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:11	xorg-server	0, 0, 0
Debian:12	xorg-server	0, 0, 0
Debian:13	xorg-server	0, 0, 0
Debian:14	xorg-server	0, 0, 0

Timeline

Jul 27, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2017-2624 advisory

Open in Interactive Console →