Skip to main content

X.Org X server EUVDEUVD-2026-34814

| CVE-2026-50259 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-05 redhat GHSA-7ww4-jpp4-x9fw
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:22 vuln.today
CVE Published
Jun 05, 2026 - 10:31 nvd
HIGH 7.8

DescriptionCVE.org

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.

Technical ContextAI

X.Org X server is the reference implementation of the X11 display server protocol, and Xwayland is its compatibility layer for running X11 clients under Wayland compositors. The vulnerability is a classic CWE-121 stack-based buffer overflow in the XKB (X Keyboard Extension) handling code: _XkbSetMapChecks() allocates a fixed 256-element mapWidths array on the stack, then CheckKeyTypes() writes into this array using an index supplied by the client without bounds validation. Because XKB requests are processed by the server on behalf of any connected X client, a malicious local client can craft an XkbSetMap request with an out-of-range key type index, corrupting stack memory in the server process. On distributions where the X server still runs as root (common on legacy RHEL deployments and headless/console setups), corruption of saved return addresses or function pointers can yield root-level code execution.

RemediationAI

Upstream fix available (commit 867b59b33bee669cb412f1314e47c52eacf6e00b in gitlab.freedesktop.org/xorg/xserver); released patched version not independently confirmed from the provided references - administrators should monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-50259 and apply the xorg-x11-server and xwayland errata packages once published via yum/dnf update for their RHEL major version. As a compensating control until patched packages are installed, run Xorg rootless where supported (RHEL 8+ defaults) so that a successful overflow yields user-level rather than root-level code execution, accepting the trade-off that some legacy input drivers and VT switching features may require additional configuration. On RHEL 6/7 systems where root-mode Xorg is still default, restrict local interactive logins to trusted users only and consider migrating console-only servers off of running the X server entirely; on RHEL 9/10 deployments, prefer Wayland sessions where Xwayland still requires patching but reduces the attack surface available to remote X clients. The freedesktop announcement at https://lists.x.org/archives/xorg-announce/2026-June/003702.html should be consulted for the exact upstream tag containing the fix.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

EUVD-2026-34814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy