CVE-2006-4655

X Window System X11R6.4- - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-4655. PoCs published by Marco Ivaldi, RISE Security.

AI-analyzed exploit summary This exploit targets a buffer overflow in the XKEYBOARD extension's Strcmp function (CVE-2006-4655) on Solaris/SPARC systems. It leverages a long _XKB_CHARSET environment variable to achieve local privilege escalation by overwriting the stack and executing shellcode.

Description

Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocalsolaris
https://www.exploit-db.com/exploits/2360

This exploit targets a buffer overflow in the XKEYBOARD extension's Strcmp function (CVE-2006-4655) on Solaris/SPARC systems. It leverages a long _XKB_CHARSET environment variable to achieve local privilege escalation by overwriting the stack and executing shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: X Window System X11R6.4 and earlier (Solaris 8/9/10)
No auth needed
Prerequisites: XKEYBOARD extension enabled on the target X server · Access to a vulnerable Solaris/SPARC system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by RISE Security · clocalsolaris
https://www.exploit-db.com/exploits/2330

This exploit targets a buffer overflow vulnerability in the XKEYBOARD extension of X11R6 on Sun Solaris 8/9/10 SPARC systems. It leverages either sprintf or strcpy to achieve remote code execution by manipulating environment variables and injecting shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: X11R6 XKEYBOARD extension on Sun Solaris 8/9/10 SPARC
No auth needed
Prerequisites: XKEYBOARD extension enabled on the target X server · Access to the target's display environment variable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by RISE Security · clocalsolaris
https://www.exploit-db.com/exploits/2331

This exploit targets a buffer overflow vulnerability in the X11R6 XKEYBOARD extension on Sun Solaris 8/9/10 x86 systems. It leverages an environment variable overflow to execute arbitrary shellcode, granting remote code execution via the `dtaction` binary.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: X11R6 XKEYBOARD extension on Sun Solaris 8/9/10 x86
No auth needed
Prerequisites: Access to a vulnerable Sun Solaris system with X11R6 XKEYBOARD extension · Ability to set environment variables for the target process
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by RISE Security · clocalsco
https://www.exploit-db.com/exploits/2332

This exploit targets a buffer overflow vulnerability in the XKEYBOARD extension of X11R6 on SCO UnixWare 7.1.3. It leverages an environment variable overflow to execute arbitrary shellcode, resulting in remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: X11R6 XKEYBOARD extension on SCO UnixWare 7.1.3
No auth needed
Prerequisites: Access to the target system's X server · Ability to set environment variables for the target process
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3529
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19905
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/445579/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016806
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21856
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3525
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1798
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21815
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21993
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1545
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21845
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28820

Scores

EPSS 0.0087
EPSS Percentile 54.2%

Details

Status published
Products (4)
sco/unixware 7.1.3
sun/solaris 8.0 (2 CPE variants)
sun/solaris 9.0 (2 CPE variants)
sun/solaris 10.0 (2 CPE variants)
Published Sep 09, 2006
Tracked Since Feb 18, 2026