Skip to main content

X.Org X Server CVE-2026-50257

| EUVDEUVD-2026-34812 HIGH
Use After Free (CWE-416)
2026-06-05 redhat GHSA-5p7p-jgvj-4v95
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:24 vuln.today
CVE Published
Jun 05, 2026 - 10:31 nvd
HIGH 7.8

DescriptionCVE.org

A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Local privilege escalation in X.Org X server and Xwayland enables authenticated local users to trigger a use-after-free in miSyncDestroyFence() by racing two client connections against a shared fence object. Successful exploitation can crash the display server or escalate privileges to root when the X server runs as root, which remains common on legacy and embedded Linux deployments. No public exploit identified at time of analysis, but an upstream fix has been committed by the X.Org maintainers.

Technical ContextAI

The vulnerability resides in the MIT-SHM/Sync extension code path of the X.Org xserver, specifically miSyncDestroyFence() within the miSync fence-handling logic shared between native X11 and the Xwayland compatibility server. The root cause is CWE-416 (Use After Free): the fence object's lifetime is not correctly serialized between the client that awaits the fence trigger and a separate client that destroys it, leaving a dangling function pointer that is later invoked when the trigger fires. Because the Sync extension exposes fence primitives over the X protocol, any local client with a session connection to the display server can manipulate these objects. The affected components are shipped as part of Red Hat Enterprise Linux 6 through 10 per the provided CPEs, and the upstream patch is tracked at gitlab.freedesktop.org commit f5abfb6.

RemediationAI

Apply the upstream fix at commit f5abfb61994471023d8c6470428c8e30c411cc0b from https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b once your distribution publishes a tagged release containing it; for Red Hat customers, monitor https://access.redhat.com/security/cve/CVE-2026-50257 and Bugzilla 2485382 for RHSA errata across RHEL 6 through 10 and install the updated xorg-x11-server and xwayland packages. Upstream fix available (commit); a tagged released patched xserver version is not independently confirmed in the provided data, so verify against the X.Org announce list (https://lists.x.org/archives/xorg-announce/2026-June/003702.html) for the corresponding 21.1.x point release. As compensating controls until patches land, run Xorg rootless (already default on modern Fedora/RHEL via systemd-logind seat takeover) to neutralize the privilege-escalation path while still leaving denial of service possible, prefer pure Wayland sessions where Xwayland runs as the unprivileged user, and on multi-user hosts restrict shell access since the attacker must connect to the local X server - note that disabling the SYNC extension entirely will break compositors and many GTK/Qt applications, so it is not a practical mitigation.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-50257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy