Hi all, CVEs have been issued now, please see inline below
On Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote: > ======================================================================= > X.Org Security Advisory: June 2, 2026 > > Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12 > ======================================================================= > > Multiple issues have been found in the X server and Xwayland implementations > published by X.Org for which we are releasing security fixes for in > xorg-server-21.1.23 and xwayland-24.1.12. > > Note that CVEs have been requested for these issues but did not get assigned > in > time for this disclosure. > > * Font Alias Stack-based Buffer Overflow > > A mismatch between the X server and the libXfont2 library's maximum > font name length can cause a stack buffer overflow during font alias > resolution. The server allocates a 256 byte stack buffer but libXfont2's > alias target name length is 1024 bytes. A font alias name between 257 > and 1023 bytes causes the X server to copy that name into the undersized > stack buffer without further checks. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07 > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30136) This issue has been assigned CVE-2026-50256 > * XSYNC Use-After-Free in miSyncDestroyFence() > > A client that sets up multiple fence triggers can trigger a > use-after-free function pointer call. An attacker would connect to the > X server to set up a fence and await that fence, then a second X > connection destroys the fence, causing the use-after-free. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30159) This issue has been assigned CVE-2026-50257 > * XKB Key Types Stack-based Buffer Overflow > > The X server has multiple stack buffers that are sized > XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify > or clamp non-canonical key types to XkbMaxShiftLevel. A client can > change key types to excessive shift levels and trigger three separate > stack overflows. > > This is caused by an incomplete fix of CVE-2025-26597. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30160) This issue has been assigned CVE-2026-50258 > * XKB SetMap Request Stack-based Buffer Overflow > > _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] > indexed by key type index. The helper function CheckKeyTypes() writes > to this buffer at a client-controlled offset, allowing a stack buffer > overflow. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30161) This issue has been assigned CVE-2026-50259 > * XSYNC Use-After-Free in FreeCounter() > > A client that sets up multiple SyncCounters and awaits on those > triggers can trigger a use-after-free when destroying those counters > via a second client connection. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30163) This issue has been assigned CVE-2026-50260 > * XSYNC Use-After-Free in SyncChangeCounter() > > A client that sets up multiple SyncCounters can trigger a use-after-free > when destroying those counters via a second client connection while > changing those counters. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812 > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30164) This issue has been assigned CVE-2026-50261 > > * GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write > > A wrong size validation check in __glXDisp_ChangeDrawableAttributes() > can read (or write) a client-controlled number of bytes, exceeding > the request buffer. > > The write path requires byte-swapped clients which is disabled by > default. > > The read can lead to information disclosure, the write can be used > to crash the server, or for privilege escalation if the X server runs > as root. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145 > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30165) This issue has been assigned CVE-2026-50262 > * CreateSaverWindow Use-After-Free Information Disclosure > > A client can trigger a use-after-free read after changing window > attributes and forcing the screen saver. This can lead to information > disclosure. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05 > Found by: Anonymous working with TrendAI Zero Day Initiative. > (ZDI-CAN-30168) This issue has been assigned CVE-2026-50263 > * DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write > > A client that requests multiple DRI2BufferBackLeft attachments and one > DRI2BufferFrontLeft can trigger an out-of-bounds heap write. > > Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 > Fix: > https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8 > Found by: Peter Hutterer, Red Hat. This issue has been assigned CVE-2026-50264 Cheers, Peter
