Skip to main content

X.Org Server EUVDEUVD-2026-34819

| CVE-2026-50262 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-05 redhat GHSA-jx39-26rr-cwqp
5.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 12:26 vuln.today
CVE Published
Jun 05, 2026 - 10:36 nvd
MEDIUM 5.5

DescriptionCVE.org

An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.

AnalysisAI

Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler __glXDisp_ChangeDrawableAttributes() allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the GLX (OpenGL Extension to the X Window System) protocol dispatch layer within the X.Org X server and its Wayland compatibility layer, Xwayland. The function __glXDisp_ChangeDrawableAttributes() processes client-supplied GLX protocol requests but performs an incorrect size validation, failing to bound the read against the actual request buffer length. This is a textbook CWE-125 (Out-of-bounds Read) - client-controlled data determines how many bytes are read, allowing reads past the allocated request buffer into adjacent memory. The secondary write path in the same code block would represent a more severe CWE-787 (Out-of-bounds Write), but it is only reachable when byte-swapped client connections are active, a non-default mode. Affected products per CPE data span the xorg/xserver upstream codebase as packaged in Red Hat Enterprise Linux versions 6 through 10.

RemediationAI

The upstream fix is available via commit 6d459e4daf715bea8abdafa8fb130be2f8a1d145 in the xorg/xserver GitLab repository (https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145); an exact tagged release version was not independently confirmed from the available data - monitor the xorg-announce list post (https://lists.x.org/archives/xorg-announce/2026-June/003702.html) and the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-50262) for distribution-specific update packages. As a compensating control where patching is delayed, administrators can restrict local user access to the X server socket (e.g., via Xwrapper.config or SELinux policy) to reduce the population of users able to submit crafted GLX requests - note this may break legitimate graphical application access. Disabling the GLX extension entirely (-noglx server flag) eliminates the vulnerable code path but will prevent all OpenGL-based applications from functioning. Byte-swapped client support, which gates the write path, is already disabled by default and should not be re-enabled.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

EUVD-2026-34819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy