Source: xorg-server Version: 2:21.1.22-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi >From https://lists.x.org/archives/xorg-announce/2026-June/003702.html: ======================================================================= X.Org Security Advisory: June 2, 2026 Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12 ======================================================================= Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.23 and xwayland-24.1.12. Note that CVEs have been requested for these issues but did not get assigned in time for this disclosure. * Font Alias Stack-based Buffer Overflow A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07 Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30136) * XSYNC Use-After-Free in miSyncDestroyFence() A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30159) * XKB Key Types Stack-based Buffer Overflow The X server has multiple stack buffers that are sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger three separate stack overflows. This is caused by an incomplete fix of CVE-2025-26597. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30160) * XKB SetMap Request Stack-based Buffer Overflow _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30161) * XSYNC Use-After-Free in FreeCounter() A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30163) * XSYNC Use-After-Free in SyncChangeCounter() A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812 Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30164) * GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write A wrong size validation check in __glXDisp_ChangeDrawableAttributes() can read (or write) a client-controlled number of bytes, exceeding the request buffer. The write path requires byte-swapped clients which is disabled by default. The read can lead to information disclosure, the write can be used to crash the server, or for privilege escalation if the X server runs as root. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145 Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30165) * CreateSaverWindow Use-After-Free Information Disclosure A client can trigger a use-after-free read after changing window attributes and forcing the screen saver. This can lead to information disclosure. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05 Found by: Anonymous working with TrendAI Zero Day Initiative. (ZDI-CAN-30168) * DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8 Found by: Peter Hutterer, Red Hat. So far no CVEs assigned. Regards, Salvatore
