Source: xorg-server Version: 2:21.1.23-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2:21.1.16-1
Hi, The following vulnerabilities were published for xorg-server. CVE-2026-55999[0]: | Local attackers with a X connection able to provide PCX fonts to the | X server xorg-server before 21.2.24 and xwayland before 24.1.13 | could cause a heap buffer overflow via SetFont due to missing glyph | boundary checks. CVE-2026-56000[1]: | Local attackers with a X connection able to provide GLX commit to | the X server xorg-server before 21.2.24 and xwayland before 24.1.13 | could cause a Heap Use After Free, due to CommonMakeCurrent() | pointing into potentially reallocated memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-55999 https://www.cve.org/CVERecord?id=CVE-2026-55999 [1] https://security-tracker.debian.org/tracker/CVE-2026-56000 https://www.cve.org/CVERecord?id=CVE-2026-56000 [2] https://www.openwall.com/lists/oss-security/2026/07/08/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

