X.Org X Server and Xwayland Security Flaws
2026-07-08
Use-after-free in the GLX dispatch layer of X.Org X Server and Xwayland allows an authenticated X client to corrupt heap memory by triggering a contextTags array reallocation while a stale pointer is still held. The attacker crafts a deterministic sequence of exactly 34 GLX requests - 17 CreateContext and 17 MakeCurrent calls - to force the realloc, after which GlxFreeContextTag writes zeros into freed memory at five fixed offsets. No CVSS vector or KEV listing is present; the vulnerability was discovered by an anonymous researcher through Trend Micro Zero Day Initiative (ZDI-CAN-30561), indicating active vulnerability research interest though no public exploit has been confirmed.
Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 24.1.13) allows a local user holding an X connection to corrupt heap memory by supplying a malicious PCX font. The flaw lives in the SetFont code path, where missing glyph boundary checks let an oversized or malformed glyph write past its heap allocation, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis; EPSS is low at 0.28% and CISA SSVC rates exploitation as none.