vulnerability

Debian: CVE-2017-11171: gnome-session -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:N/C:N/I:N/A:C)	Jul 11, 2017	Jul 30, 2024	Mar 30, 2026

Severity

CVSS

(AV:L/AC:L/Au:N/C:N/I:N/A:C)

Published

Jul 11, 2017

Added

Jul 30, 2024

Modified

Mar 30, 2026

Description

Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.

Solution

debian-upgrade-gnome-session

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report