Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAP=2yyQ2EghfuepLsAopsRpgH8eQLUg5G_JRM=ScMR2NVcjYhw@mail.gmail.com>
Date: Tue, 14 Apr 2026 15:47:33 +0200
From: Olivier Fourdan <ofourdan@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: X.Org Security Advisory: multiple security issues X.Org X server
 and Xwayland

======================================================================
X.Org Security Advisory: April 14, 2026

Issues in X.Org X server prior to 21.1.22 and Xwayland prior to 24.1.10
======================================================================

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.22 and xwayland-24.1.10.


* CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()

   If a "compat" buffer was previously truncated, there will be unused
   space left in the buffer. The code in XkbSetCompatMap() will use that
   space, but fails to update the number of valid entries actually in the
   buffer.

   As a result, that can lead to buffer read overrun when processing a
   future request.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae17
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()

   Each key alias entry contains two key names (the alias and the real
   key name).

   The code in CheckSetGeom() does its bounds checking using only the
   first name, allowing XkbAddGeomKeyAlias to read uninitialised memory.

   Introduced in: xorg-server-21.1.4 and xwayland-22.1.3
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()

   When walking the list of fences to trigger, miSyncTriggerFence() may
   call TriggerFence() for the current trigger, which end up calling the
   function SyncAwaitTriggerFired().

   SyncAwaitTriggerFired() frees the entire await resource, which removes
   all triggers from that await, including the next entries in the list
   of fences, leading to a use-after-free.

   Introduced in: xorg-server-1.9.0
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94b
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()

   CheckModifierMap() reads from the wire in a loop without verifying that
   the data remains within the bounds of the client request.

   As a result, the total number of keys could exceed the actual data
   provided, causing a potential read of uninitialised memory.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1c
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()

   The function CheckKeyTypes() will loop over the client's request but
   won't perform any additional bound checking to ensure that the data
   read remains within the request bounds.

   As a result, a specifically crafted request may cause CheckKeyTypes()
   to read uninitialised memory past the request data.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd
        https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563f
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.

View attachment "OpenPGP_0x14706DBE1E4B4540.asc" of type "text/plain" (3037 bytes)

View attachment "OpenPGP_signature.asc" of type "text/plain" (209 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.