Skip to main content

X.Org X Server CVE-2026-50261

| EUVDEUVD-2026-34817 HIGH
Use After Free (CWE-416)
2026-06-05 redhat GHSA-4r2h-m6wp-gxg9
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:21 vuln.today
CVE Published
Jun 05, 2026 - 10:36 nvd
HIGH 7.8

DescriptionCVE.org

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in SyncChangeCounter() that a local authenticated attacker can trigger by orchestrating two client connections - one creating multiple SyncCounters, the other destroying them while they are being changed. On systems where the X server still runs as root (common on legacy Linux setups), successful exploitation yields root code execution; at minimum it crashes the display server. No public exploit identified at time of analysis, but the bug is confirmed by Red Hat and a fix has landed upstream in xserver.

Technical ContextAI

The vulnerability lives in the XSync extension of xorg-server/Xwayland (CWE-416, Use-After-Free) inside SyncChangeCounter(), the handler responsible for updating SyncCounter objects used for client synchronization primitives. Because two distinct X11 client connections can race against the same counter - one connection destroying it while another mutates it - the server dereferences a freed SyncCounter object. The affected CPE set (Red Hat Enterprise Linux 6 through 10) reflects that all currently supported and legacy RHEL streams ship a vulnerable xorg-server/xwayland package; the upstream fix commit bdd7bf57af208b1ddf57d4683d67104443b44812 in freedesktop.org's xserver repository addresses the lifecycle bug.

RemediationAI

Apply the vendor-released X.Org/Xwayland updates as soon as Red Hat publishes per-RHEL-stream errata referenced from https://access.redhat.com/security/cve/CVE-2026-50261 (track Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2485386 for RHSA links); upstream the fix is commit bdd7bf57af208b1ddf57d4683d67104443b44812 on gitlab.freedesktop.org/xorg/xserver, announced at https://lists.x.org/archives/xorg-announce/2026-June/003702.html. Until patches are installed, reduce risk by switching to Wayland sessions with Xwayland where feasible, ensuring Xorg is not configured to run as root (use rootless Xorg via systemd-logind on RHEL 8+ - note this disables some legacy proprietary drivers), restricting interactive shell access on multi-user hosts so untrusted local users cannot reach the X server socket, and removing xorg-x11-server packages entirely from headless servers where they were installed unnecessarily.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-50261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy