[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ah4eSpv9hMfFZNAy@quokka>
Date: Tue, 2 Jun 2026 10:06:39 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: FW: X.Org Security Advisory: multiple security issues X.Org X server
and Xwayland
=======================================================================
X.Org Security Advisory: June 2, 2026
Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
=======================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.23 and xwayland-24.1.12.
Note that CVEs have been requested for these issues but did not get assigned in
time for this disclosure.
* Font Alias Stack-based Buffer Overflow
A mismatch between the X server and the libXfont2 library's maximum
font name length can cause a stack buffer overflow during font alias
resolution. The server allocates a 256 byte stack buffer but libXfont2's
alias target name length is 1024 bytes. A font alias name between 257
and 1023 bytes causes the X server to copy that name into the undersized
stack buffer without further checks.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)
* XSYNC Use-After-Free in miSyncDestroyFence()
A client that sets up multiple fence triggers can trigger a
use-after-free function pointer call. An attacker would connect to the
X server to set up a fence and await that fence, then a second X
connection destroys the fence, causing the use-after-free.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)
* XKB Key Types Stack-based Buffer Overflow
The X server has multiple stack buffers that are sized
XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
or clamp non-canonical key types to XkbMaxShiftLevel. A client can
change key types to excessive shift levels and trigger three separate
stack overflows.
This is caused by an incomplete fix of CVE-2025-26597.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)
* XKB SetMap Request Stack-based Buffer Overflow
_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
indexed by key type index. The helper function CheckKeyTypes() writes
to this buffer at a client-controlled offset, allowing a stack buffer
overflow.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)
* XSYNC Use-After-Free in FreeCounter()
A client that sets up multiple SyncCounters and awaits on those
triggers can trigger a use-after-free when destroying those counters
via a second client connection.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)
* XSYNC Use-After-Free in SyncChangeCounter()
A client that sets up multiple SyncCounters can trigger a use-after-free
when destroying those counters via a second client connection while
changing those counters.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
can read (or write) a client-controlled number of bytes, exceeding
the request buffer.
The write path requires byte-swapped clients which is disabled by
default.
The read can lead to information disclosure, the write can be used
to crash the server, or for privilege escalation if the X server runs
as root.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)
* CreateSaverWindow Use-After-Free Information Disclosure
A client can trigger a use-after-free read after changing window
attributes and forcing the screen saver. This can lead to information
disclosure.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
A client that requests multiple DRI2BufferBackLeft attachments and one
DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.
Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
