======================================================================= X.Org Security Advisory: June 2, 2026
Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
=======================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.23 and xwayland-24.1.12.
Note that CVEs have been requested for these issues but did not get assigned in
time for this disclosure.
* Font Alias Stack-based Buffer Overflow
A mismatch between the X server and the libXfont2 library's maximum
font name length can cause a stack buffer overflow during font alias
resolution. The server allocates a 256 byte stack buffer but libXfont2's
alias target name length is 1024 bytes. A font alias name between 257
and 1023 bytes causes the X server to copy that name into the undersized
stack buffer without further checks.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)
* XSYNC Use-After-Free in miSyncDestroyFence()
A client that sets up multiple fence triggers can trigger a
use-after-free function pointer call. An attacker would connect to the
X server to set up a fence and await that fence, then a second X
connection destroys the fence, causing the use-after-free.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)
* XKB Key Types Stack-based Buffer Overflow
The X server has multiple stack buffers that are sized
XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
or clamp non-canonical key types to XkbMaxShiftLevel. A client can
change key types to excessive shift levels and trigger three separate
stack overflows.
This is caused by an incomplete fix of CVE-2025-26597.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)
* XKB SetMap Request Stack-based Buffer Overflow
_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
indexed by key type index. The helper function CheckKeyTypes() writes
to this buffer at a client-controlled offset, allowing a stack buffer
overflow.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)
* XSYNC Use-After-Free in FreeCounter()
A client that sets up multiple SyncCounters and awaits on those
triggers can trigger a use-after-free when destroying those counters
via a second client connection.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)
* XSYNC Use-After-Free in SyncChangeCounter()
A client that sets up multiple SyncCounters can trigger a use-after-free
when destroying those counters via a second client connection while
changing those counters.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
can read (or write) a client-controlled number of bytes, exceeding
the request buffer.
The write path requires byte-swapped clients which is disabled by
default.
The read can lead to information disclosure, the write can be used
to crash the server, or for privilege escalation if the X server runs
as root.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)
* CreateSaverWindow Use-After-Free Information Disclosure
A client can trigger a use-after-free read after changing window
attributes and forcing the screen saver. This can lead to information
disclosure.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
A client that requests multiple DRI2BufferBackLeft attachments and one
DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.
signature.asc
Description: PGP signature
