Skip to main content

X.Org X Server CVE-2026-50258

| EUVDEUVD-2026-34815 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-05 redhat GHSA-74fp-pmv2-rh3f
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:23 vuln.today
CVE Published
Jun 05, 2026 - 10:31 nvd
HIGH 7.8

DescriptionCVE.org

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.

Technical ContextAI

The X.Org X server and Xwayland implement the XKB (X Keyboard Extension) protocol, which allows clients to define custom keyboard layouts including key types and shift levels. Internally, the server allocates several stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups to hold per-group key state. The CheckKeyTypes() validation routine, intended to enforce canonical bounds, omits a clamp on shift levels for non-canonical key types - a CWE-121 (Stack-based Buffer Overflow) condition. A malicious local client sending crafted XKB requests with excessive shift levels writes past these fixed-size stack buffers. The CPE data shows Red Hat Enterprise Linux 6, 7, 8, 9, and 10 all package the affected xorg-x11-server / xwayland components. The patch landed upstream as commit 543e108516428fc8c3bea91d6563ad266f9a801e and was announced on the xorg-announce mailing list in June 2026.

RemediationAI

Apply Patch available per vendor advisory: install the Red Hat erratum referenced at https://access.redhat.com/security/cve/CVE-2026-50258 for your RHEL major version (6 through 10), or rebuild xorg-server / xwayland with upstream commit 543e108516428fc8c3bea91d6563ad266f9a801e applied as documented in https://lists.x.org/archives/xorg-announce/2026-June/003702.html. Restart the display manager (or reboot) so the patched binary is loaded - running X sessions continue to use the vulnerable in-memory image until restart. If patching must be deferred, prefer running Xwayland under a Wayland compositor rather than the legacy Xorg server (eliminates the root-privilege escalation path while retaining X client compatibility, at the cost of breaking X11-specific features such as some screen-capture tools and legacy input grabs), and on servers where Xorg must run as root, restrict local logins to trusted users and disable XKB extension reconfiguration over untrusted X displays (note this will break international keyboard layout switching for affected users).

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-50258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy