Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aiIMPvapb9WSKlHM@quokka>
Date: Fri, 5 Jun 2026 09:38:19 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: Re: FW: X.Org Security Advisory: multiple security issues X.Org X
 server and Xwayland

Hi all,

CVEs have been issued now, please see inline below

On Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:
> =======================================================================
> X.Org Security Advisory: June 2, 2026 
> 
> Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
> =======================================================================
> 
> Multiple issues have been found in the X server and Xwayland implementations
> published by X.Org for which we are releasing security fixes for in
> xorg-server-21.1.23 and xwayland-24.1.12.
> 
> Note that CVEs have been requested for these issues but did not get assigned in
> time for this disclosure.
> 
> * Font Alias Stack-based Buffer Overflow
> 
>     A mismatch between the X server and the libXfont2 library's maximum
>     font name length can cause a stack buffer overflow during font alias
>     resolution. The server allocates a 256 byte stack buffer but libXfont2's
>     alias target name length is 1024 bytes. A font alias name between 257
>     and 1023 bytes causes the X server to copy that name into the undersized
>     stack buffer without further checks.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30136)

This issue has been assigned CVE-2026-50256

> * XSYNC Use-After-Free in miSyncDestroyFence()
> 
>     A client that sets up multiple fence triggers can trigger a
>     use-after-free function pointer call. An attacker would connect to the
>     X server to set up a fence and await that fence, then a second X
>     connection destroys the fence, causing the use-after-free.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30159)

This issue has been assigned CVE-2026-50257

> * XKB Key Types Stack-based Buffer Overflow
> 
>     The X server has multiple stack buffers that are sized
>     XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
>     or clamp non-canonical key types to XkbMaxShiftLevel. A client can
>     change key types to excessive shift levels and trigger three separate
>     stack overflows.
> 
>     This is caused by an incomplete fix of CVE-2025-26597.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30160)
 
This issue has been assigned CVE-2026-50258

> * XKB SetMap Request Stack-based Buffer Overflow
> 
>     _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
>     indexed by key type index. The helper function CheckKeyTypes() writes
>     to this buffer at a client-controlled offset, allowing a stack buffer
>     overflow.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30161)

This issue has been assigned CVE-2026-50259
 
> * XSYNC Use-After-Free in FreeCounter()
> 
>     A client that sets up multiple SyncCounters and awaits on those
>     triggers can trigger a use-after-free when destroying those counters
>     via a second client connection.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30163)

This issue has been assigned CVE-2026-50260
 
> * XSYNC Use-After-Free in SyncChangeCounter()
> 
>     A client that sets up multiple SyncCounters can trigger a use-after-free
>     when destroying those counters via a second client connection while
>     changing those counters.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30164)

This issue has been assigned CVE-2026-50261

> 
> * GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
> 
>     A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
>     can read (or write) a client-controlled number of bytes, exceeding
>     the request buffer.
> 
>     The write path requires byte-swapped clients which is disabled by
>     default.
> 
>     The read can lead to information disclosure, the write can be used
>     to crash the server, or for privilege escalation if the X server runs
>     as root.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30165)

This issue has been assigned CVE-2026-50262
 
> * CreateSaverWindow Use-After-Free Information Disclosure
> 
>     A client can trigger a use-after-free read after changing window
>     attributes and forcing the screen saver. This can lead to information
>     disclosure.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
>     Found by: Anonymous working with TrendAI Zero Day Initiative.
>               (ZDI-CAN-30168)
 
This issue has been assigned CVE-2026-50263

> * DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
> 
>     A client that requests multiple DRI2BufferBackLeft attachments and one
>     DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
> 
>     Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
>     Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
>          https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
>     Found by: Peter Hutterer, Red Hat.

This issue has been assigned CVE-2026-50264

Cheers,
  Peter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.