Skip to main content

X.Org X Server EUVD-2026-34816

| CVE-2026-50260 HIGH
Use After Free (CWE-416)
2026-06-05 redhat GHSA-7j37-rf7v-jf5c
Use After Free Memory Corruption Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:21 vuln.today
CVE Published
Jun 05, 2026 - 10:36 nvd
HIGH 7.8

DescriptionNVD

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.

AnalysisAI

Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in FreeCounter() when SyncCounter objects are destroyed across multiple client connections. Authenticated local attackers on affected Red Hat Enterprise Linux 6 through 10 systems can crash the server or escalate to root when the X server runs with elevated privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local user shell on RHEL host
Delivery
Open two X client connections with valid auth
Exploit
Create multiple SyncCounters with pending triggers
Install
Destroy counters via second connection to trigger FreeCounter() UAF
C2
Groom heap to control freed SyncCounter memory
Execute
Hijack control flow in X server process
Impact
Execute code as root (or session user on Xwayland)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have local authenticated access to an active X server endpoint (either a classic Xorg display socket or an Xwayland instance) and the ability to open at least two concurrent client connections to that server with valid X authorization cookies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields a base score of 7.8 (High), reflecting local attack vector, low complexity, low privileges (authenticated local user), no user interaction, and full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local authenticated attacker (for example, a low-privileged shell user on a multi-user RHEL workstation or a malicious app within a desktop session) opens two client connections to the X server, registers multiple SyncCounters with pending triggers on the first connection, and uses the second connection to destroy those counters, triggering the FreeCounter() use-after-free. Through heap grooming the attacker shapes the freed memory to gain code execution in the X server's address space, which yields root privileges on systems where Xorg still runs as root or session-level compromise where Xwayland runs unprivileged. …
Remediation Upstream fix available (commit f5abfb61994471023d8c6470428c8e30c411cc0b at https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b); a released patched version was not independently confirmed in the supplied data, so administrators should apply Red Hat errata referenced from https://access.redhat.com/security/cve/CVE-2026-50260 once they list specific xorg-x11-server and xorg-x11-server-Xwayland package versions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all RHEL 6-10 systems running X.Org X server or Xwayland (rpm -qa | grep -E 'xorg-server|xwayland'). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

EUVD-2026-34816 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy