Skip to main content

X.Org X Server CVE-2026-56000

| EUVDEUVD-2026-42202 CRITICAL
Use After Free (CWE-416)
9.0
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Local X display access required (AV:L); PR:L because valid X client authorization is needed; scope change (S:C) as X server compromise affects all connected clients.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 09:01 EUVD
Analysis Generated
Jul 08, 2026 - 02:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Use-after-free in the GLX dispatch layer of X.Org X Server and Xwayland allows an authenticated X client to corrupt heap memory by triggering a contextTags array reallocation while a stale pointer is still held. The attacker crafts a deterministic sequence of exactly 34 GLX requests - 17 CreateContext and 17 MakeCurrent calls - to force the realloc, after which GlxFreeContextTag writes zeros into freed memory at five fixed offsets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authorized X display connection with GLX support
Delivery
Create 16 GLX contexts via CreateContext requests
Exploit
Issue MakeCurrent(oldContextTag=0) for each to fill all tag slots
Install
Issue 17th MakeCurrent with non-zero oldContextTag
C2
Trigger GlxAllocContextTag realloc moving contextTags buffer
Execute
GlxFreeContextTag writes zeros to freed heap memory
Impact
Leverage heap corruption for privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authorized connection to an X11 display that has GLX support enabled - the attacker must be able to create GLX rendering contexts via the X protocol. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, or CISA KEV entry is available for this CVE, which limits automated risk scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with access to the X display - either directly on the machine or via an authorized remote X11 connection - connects as a GLX-capable client and issues 16 CreateContext calls followed by MakeCurrent(oldContextTag=0) for each, filling all 16 tag slots to capacity. A 17th MakeCurrent with a non-zero oldContextTag triggers GlxAllocContextTag() to realloc the contextTags array; if the allocator moves the buffer, oldTag is now dangling, and the ensuing GlxFreeContextTag(oldTag) writes controlled zeros into freed heap memory. …
Remediation The primary remediation is to upgrade to xorg-server-21.1.24 or xwayland-24.1.13, which include the fix commit 2779affbdb4354e894f490e56f962527d6125043 (see https://gitlab.freedesktop.org/xorg/xserver/-/commit/2779affbdb4354e894f490e56f962527d6125043). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running X.Org X Server and Xwayland; document which systems expose X11 sockets to untrusted users or networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-14665 MEDIUM POC
6.6 Oct 25

A flaw was found in xorg-x11-server before 1.20.3. Rated medium severity (CVSS 6.6), this vulnerability is low attack co

CVE-2019-17624 HIGH POC
7.8 Oct 16

"" In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. Rated high severity (C

CVE-2017-10971 HIGH
8.8 Jul 06

In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context

CVE-2022-46344 HIGH
8.8 Dec 14

A vulnerability was found in X.Org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low atta

CVE-2022-46343 HIGH
8.8 Dec 14

A vulnerability was found in X.Org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low atta

CVE-2022-46342 HIGH
8.8 Dec 14

A vulnerability was found in X.Org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low atta

CVE-2022-46341 HIGH
8.8 Dec 14

A vulnerability was found in X.Org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low atta

CVE-2022-46340 HIGH
8.8 Dec 14

A vulnerability was found in X.Org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low atta

CVE-2022-3550 HIGH
8.8 Oct 17

A vulnerability classified as critical was found in X.org Server. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-5367 HIGH
7.8 Oct 25

A out-of-bounds write flaw was found in the xorg-x11-server. Rated high severity (CVSS 7.8), this vulnerability is low a

CVE-2023-6377 HIGH
7.8 Dec 13

A flaw was found in xorg-server. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Out-o

CVE-2026-55999 HIGH
7.8 Jul 08

Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 2

Share

CVE-2026-56000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy