CVE-2007-4990

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

Published: 2007-10-05 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2007-4990 is rated High Risk (68.3/100): CVSS High severity, with high exploitation likelihood (EPSS 10.74%, 95th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +5.31% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2007-4990

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 5.43% 10.74% +5.31%
2 2026-05-24 5.23% 5.43% +0.20%
3 2026-04-12 5.23%

Full EPSS history (17 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2007-4990

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2007-4990

OS Trackers for CVE-2007-4990

vendor priority summary link
gentoo high CVE-2007-4990: 1 GLSA(s) (200710-11), 1 atom(s) (x11-apps/xfs); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2007-4990
redhat low https://access.redhat.com/security/cve/CVE-2007-4990
ubuntu medium CVE-2007-4990 medium priority: Ubuntu including 1 source packages (xfs), 9 status rows across 9 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, karmic, upstream): ignored 4, not-affected 4, released 1. https://ubuntu.com/security/CVE-2007-4990

Vendor comments (NVD) for CVE-2007-4990

  • Red Hat (2007-10-08T00:00:00)

    Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4990 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Affected software / configurations for CVE-2007-4990

Vendor Product Version Raw CPE
x.org x_font_server <= 1.0.4 cpe:2.3:a:x.org:x_font_server:*:*:*:*:*:*:*:*

References for CVE-2007-4990

URL Tags
http://bugs.freedesktop.org/show_bug.cgi?id=12299
http://bugs.gentoo.org/show_bug.cgi?id=194606
http://docs.info.apple.com/article.html?artnum=307562
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
http://secunia.com/advisories/27040
http://secunia.com/advisories/27052
http://secunia.com/advisories/27060
http://secunia.com/advisories/27176
http://secunia.com/advisories/27228
http://secunia.com/advisories/27240
http://secunia.com/advisories/27560
http://secunia.com/advisories/28004
http://secunia.com/advisories/28514
http://secunia.com/advisories/28536
http://secunia.com/advisories/28542
http://secunia.com/advisories/29420
http://security.gentoo.org/glsa/glsa-200710-11.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1
http://www.mandriva.com/security/advisories?name=MDKSA-2007:210
http://www.novell.com/linux/security/advisories/2007_54_xorg.html
http://www.redhat.com/support/errata/RHSA-2008-0029.html
http://www.redhat.com/support/errata/RHSA-2008-0030.html
http://www.securityfocus.com/archive/1/481432/100/0/threaded
http://www.securityfocus.com/bid/25898
http://www.securitytracker.com/id?1018763
http://www.vupen.com/english/advisories/2007/3337
http://www.vupen.com/english/advisories/2007/3338
http://www.vupen.com/english/advisories/2007/3467
http://www.vupen.com/english/advisories/2008/0149
http://www.vupen.com/english/advisories/2008/0924/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/36920
https://issues.rpath.com/browse/RPL-1756
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html
cvelogic Threat Intelligence