Skip to main content

X.Org X Server CVE-2026-50256

| EUVDEUVD-2026-34813 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-05 redhat GHSA-7gx3-r5q9-6j33
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:24 vuln.today
CVE Published
Jun 05, 2026 - 10:31 nvd
HIGH 7.8

DescriptionCVE.org

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).

Technical ContextAI

The X.Org X server (cpe X.Org xserver) and the Xwayland compatibility server delegate font handling to the libXfont2 library, which manages font alias resolution. The vulnerability is a classic CWE-121 stack-based buffer overflow caused by an inter-component size mismatch: the X server reserves a 256-byte fixed stack buffer to hold a font alias target name, but libXfont2 advertises a maximum alias target length of 1024 bytes. Because no length check is performed before copying the alias name from libXfont2 into the server's stack buffer, any alias name between 257 and 1023 bytes corrupts adjacent stack memory, including saved return addresses and frame pointers, enabling memory corruption attacks against the X server process. The upstream fix is tracked at gitlab.freedesktop.org/xorg/xserver commit bb5158f962dc935e58ef8b4b5fcb31be201a6e07.

RemediationAI

Apply the upstream fix from xorg/xserver commit bb5158f962dc935e58ef8b4b5fcb31be201a6e07 (announced via https://lists.x.org/archives/xorg-announce/2026-June/003702.html) by upgrading xorg-x11-server and xwayland packages once the corresponding Red Hat errata are released - track availability and exact package versions via https://access.redhat.com/security/cve/CVE-2026-50256 and https://bugzilla.redhat.com/show_bug.cgi?id=2485380. Released patched RPM versions are not independently confirmed from the provided data, so vendor-released patch availability per RHEL stream should be verified against the Red Hat advisory before scheduling deployments. As compensating controls until patched packages are deployed, restrict who can supply or modify font configuration and alias files (typically under /etc/X11/fontpath.d, /usr/share/fonts, and per-user font directories) so unprivileged users cannot introduce attacker-controlled aliases, and avoid running the X server setuid-root by preferring rootless Xorg or Wayland sessions where the desktop stack supports it - note this may break legacy input drivers and remote display setups. On headless servers, consider uninstalling X.Org server and Xwayland entirely if not required, accepting the side effect of losing any GUI/forwarded-X functionality.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-50256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy