Skip to main content

X.Org X Server CVE-2026-50264

| EUVDEUVD-2026-34818 HIGH
Out-of-bounds Write (CWE-787)
2026-06-05 redhat GHSA-c83q-p66f-qr9p
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:20 vuln.today
CVE Published
Jun 05, 2026 - 10:36 nvd
HIGH 7.8

DescriptionCVE.org

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Out-of-bounds heap write in X.Org X server and Xwayland DRI2 buffer handling allows a local authenticated client to corrupt server memory by requesting multiple DRI2BufferBackLeft attachments alongside one DRI2BufferFrontLeft. Successful exploitation crashes the display server or, when the X server runs setuid root (a still-common legacy deployment), enables local privilege escalation to root. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw lives in the DRIGetBuffers and DRIGetBuffersWithFormat code paths of the X.Org X server and its Xwayland compatibility layer, which implement the DRI2 protocol used by clients to obtain direct rendering buffer attachments. The server allocates buffer arrays sized for the expected attachment combinations, but does not properly bound the case where a client requests multiple DRI2BufferBackLeft entries together with a DRI2BufferFrontLeft, leading to a heap write past the end of the allocation. This is a classic CWE-787 out-of-bounds write in a long-lived, privileged graphics process that historically runs with elevated privileges on traditional Linux desktops, making memory corruption here particularly dangerous.

RemediationAI

Upstream fix available (commit 339c279514326134b0878fc23ce6e9520440ce7f on freedesktop.org gitlab); a released patched tag is not independently confirmed from the data provided, so consume the fix via your distribution. On Red Hat Enterprise Linux 6 through 10, install the updated xorg-x11-server and xwayland packages as published in the advisory at https://access.redhat.com/security/cve/CVE-2026-50264 once available for your stream, applying out-of-cycle errata for any RHEL 6/7 systems still under extended support contracts. As a compensating control until packages are deployed, remove the setuid bit from the Xorg binary (chmod u-s /usr/libexec/Xorg or equivalent) to neutralize the privilege-escalation path - this requires switching to a logind/rootless or KMS-based startup and will break legacy startx flows that depend on setuid Xorg. On systems where Wayland is viable, prefer a Wayland session so Xwayland runs unprivileged, reducing impact to a per-session crash; restrict interactive and SSH-with-X-forwarding access on shared multi-user hosts to limit who can reach the vulnerable code path.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-50264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy