#1138680 xorg-server: multiple security issues fixed in X.Org X server in June 2026 release #1138680
- Package:
- src:xorg-server
- Source:
- src:xorg-server
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-02 15:27:01 UTC
- Severity:
- normal
- Tags:
Hi
From https://lists.x.org/archives/xorg-announce/2026-June/003702.html:
=======================================================================
X.Org Security Advisory: June 2, 2026
Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
=======================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.23 and xwayland-24.1.12.
Note that CVEs have been requested for these issues but did not get assigned in
time for this disclosure.
* Font Alias Stack-based Buffer Overflow
A mismatch between the X server and the libXfont2 library's maximum
font name length can cause a stack buffer overflow during font alias
resolution. The server allocates a 256 byte stack buffer but libXfont2's
alias target name length is 1024 bytes. A font alias name between 257
and 1023 bytes causes the X server to copy that name into the undersized
stack buffer without further checks.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)
* XSYNC Use-After-Free in miSyncDestroyFence()
A client that sets up multiple fence triggers can trigger a
use-after-free function pointer call. An attacker would connect to the
X server to set up a fence and await that fence, then a second X
connection destroys the fence, causing the use-after-free.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)
* XKB Key Types Stack-based Buffer Overflow
The X server has multiple stack buffers that are sized
XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
or clamp non-canonical key types to XkbMaxShiftLevel. A client can
change key types to excessive shift levels and trigger three separate
stack overflows.
This is caused by an incomplete fix of CVE-2025-26597.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)
* XKB SetMap Request Stack-based Buffer Overflow
_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
indexed by key type index. The helper function CheckKeyTypes() writes
to this buffer at a client-controlled offset, allowing a stack buffer
overflow.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)
* XSYNC Use-After-Free in FreeCounter()
A client that sets up multiple SyncCounters and awaits on those
triggers can trigger a use-after-free when destroying those counters
via a second client connection.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)
* XSYNC Use-After-Free in SyncChangeCounter()
A client that sets up multiple SyncCounters can trigger a use-after-free
when destroying those counters via a second client connection while
changing those counters.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
can read (or write) a client-controlled number of bytes, exceeding
the request buffer.
The write path requires byte-swapped clients which is disabled by
default.
The read can lead to information disclosure, the write can be used
to crash the server, or for privilege escalation if the X server runs
as root.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)
* CreateSaverWindow Use-After-Free Information Disclosure
A client can trigger a use-after-free read after changing window
attributes and forcing the screen saver. This can lead to information
disclosure.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
A client that requests multiple DRI2BufferBackLeft attachments and one
DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.
So far no CVEs assigned.
Regards,
Salvatore
We believe that the bug you reported is fixed in the latest version of xwayland, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1138680@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaalton@debian.org> (supplier of updated xwayland package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 02 Jun 2026 11:58:56 +0300 Source: xwayland Built-For-Profiles: derivative.ubuntu noudeb Architecture: source Version: 2:24.1.12-1 Distribution: unstable Urgency: medium Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Changed-By: Timo Aaltonen <tjaalton@debian.org> Closes: 1138680 Changes: xwayland (2:24.1.12-1) unstable; urgency=medium . * New upstream release. (Closes: #1138680) Checksums-Sha1: f3f0679ed41d47c4c51ce7b883db5d02b59f94ab 2564 xwayland_24.1.12-1.dsc 4844f1a9fb495ad9c14990a8e230d9c538cf7dbf 1306052 xwayland_24.1.12.orig.tar.xz 2d7ff2f4b9da030cf72b9cf39fb1601b42e2c379 195 xwayland_24.1.12.orig.tar.xz.asc c69aec998bd171a6913c61470c5162c3eb2128bd 35600 xwayland_24.1.12-1.debian.tar.xz 977d2c2c027f96de3169846f082b79a18b01716f 11201 xwayland_24.1.12-1_source.buildinfo Checksums-Sha256: 4c20d9267c5fe00c0a1abc9608116e988426410ddfc64c3e77b5b9dbfd3ef43a 2564 xwayland_24.1.12-1.dsc 6df02c511b92c1b9848734d9d1b03a4c24f8375ba3cada44e9684a21b5f78e21 1306052 xwayland_24.1.12.orig.tar.xz 1b2ee4f67ecd653ce4aaa6a73febb6438c0ec6bbd7c49db09c12a40d1464190e 195 xwayland_24.1.12.orig.tar.xz.asc 04de1f5ec6f73f0993640df80ddb892b06869265a91caf2849f2e836bc18e79f 35600 xwayland_24.1.12-1.debian.tar.xz 9e0fcbc30e938194dc03504e1fcfcd426513190a5d0b515d21c26749abb9b73b 11201 xwayland_24.1.12-1_source.buildinfo Files: ad33e38f2973732f101daf0d4f5b6648 2564 x11 optional xwayland_24.1.12-1.dsc 0b50c13c4bc2a72a39daf322500cae34 1306052 x11 optional xwayland_24.1.12.orig.tar.xz ae871f61bc2cf859157011e83e4b3910 195 x11 optional xwayland_24.1.12.orig.tar.xz.asc 8a0779b53b58b3ab4167ec38fcdc25a1 35600 x11 optional xwayland_24.1.12-1.debian.tar.xz 4fd473fcf271d9d5fd60ff206a27689c 11201 x11 optional xwayland_24.1.12-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmoem1oACgkQy3AxZaiJ hNyUAg//WyJdEhQtGWGoC3dNNQZcfNIQOGQ/MPxzZs5VH10gP9eXs4C9Qy7znleB WGlNbl4TR9vHbn1rfxwq/4kgEqUstiGXSXL+asiW26JEspLJtdGxxjIH+5SRWaJM mSWXZxntpQgbujIbWQN6REfsbKkNWesUwL6yMAIeKWiP1ulqCaIkln5C1R+dUhB1 gPWCD4fY1elJwXyhHrJ0Tt3nxizJM4q+FWfDTCPNT7Ux2VR5gtQEDyv3O4nUP5Qy XXUGUCG/Kzu7vCefpws37R3QtKVAkH5P1agkjBNu5xQiDek5nU3y6NU/STbwW2+y dVLdkaLJ30BFuyFU96+9wY03jDKTuqdBXL8HjWMBunyIS9zyfVLFmZxn/9Htpbn/ JxOaJJEcWPyP+admKV0/C2/R4XAnbW0fxyVLzv4G6RUuUZ7sb+RO0cNga2Rrdhui fDoQTeaUXxcInpn3bZKID4P2aVfIggD6cbaLjIxLm8QlklQqyKeSi3sKTjvCf/uK T3exLQo0lV/A323+yhzAFrH6iVoFyCb+fKgFB1z628CdJs0MNzWWKeT2nj1U0+/m gw2Nf1rE/NBmsAR7vEYf4PF6PsxxgxO+q8rXHKLQj3h7T0srP1c5SlG+wcbT1mR6 OU5ZvhUb9cFA75F5StPFBJifSEwYTLqLaYUOzxxk3dxYfTQdgLs= =Ht0V -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of xorg-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1138680@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaalton@debian.org> (supplier of updated xorg-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 02 Jun 2026 12:15:12 +0300 Source: xorg-server Built-For-Profiles: derivative.ubuntu noudeb Architecture: source Version: 2:21.1.23-1 Distribution: unstable Urgency: medium Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Changed-By: Timo Aaltonen <tjaalton@debian.org> Closes: 1138680 Changes: xorg-server (2:21.1.23-1) unstable; urgency=medium . * New upstream release. (Closes: #1138680) Checksums-Sha1: e1cf7aabba97402f0ef9e1368ed9ddb55aeedc7b 4302 xorg-server_21.1.23-1.dsc 35ea23826806442b4acaffa653a769645fc2cfbf 9031952 xorg-server_21.1.23.orig.tar.gz 7cebdc42de39c9959595554f4d88b609c1d0acd7 195 xorg-server_21.1.23.orig.tar.gz.asc 1882245dd56d8bdfc5cd299f3b94ef99bc20f5fc 178282 xorg-server_21.1.23-1.diff.gz 79977dea8404bab0fbe61f8c6529489baa54c432 11896 xorg-server_21.1.23-1_source.buildinfo Checksums-Sha256: fd7718de38682ae98f1eeee165fadd6b888a5f6e1c3a9d4b272ac94d66140c43 4302 xorg-server_21.1.23-1.dsc d81f4bea5eaf7e5c299bfeb52d54bab7e17ea72997b10fc9907712fccf9a64d5 9031952 xorg-server_21.1.23.orig.tar.gz 14cc73ac88297d9426e0dfc9ef7e11afd6cfadebb1c13627af7b2d2a307d3ff9 195 xorg-server_21.1.23.orig.tar.gz.asc 732c970a3951cbb332fe6d3875cd9b1b039ff1befbb046cd7c7017e2171cdd83 178282 xorg-server_21.1.23-1.diff.gz 9c3de672a789bc9f3a0aef09b28032d1493dd2aab652fd491500868f80816fb5 11896 xorg-server_21.1.23-1_source.buildinfo Files: 0b9c6f7787dee3c4978a43ec9fb52f12 4302 x11 optional xorg-server_21.1.23-1.dsc 03bc57460a69a6a4469032196666d93d 9031952 x11 optional xorg-server_21.1.23.orig.tar.gz 87d3ba228b32153212dd4ba7ca71368e 195 x11 optional xorg-server_21.1.23.orig.tar.gz.asc 68d102223ba50036ba8ee1d6bfc0630d 178282 x11 optional xorg-server_21.1.23-1.diff.gz c114e5df1226ca678f0918a8adc5fc8d 11896 x11 optional xorg-server_21.1.23-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmoenywACgkQy3AxZaiJ hNxo+w/9FGhgoHgHSb9OsIOSyNUQRtuSB1IZBqqUrjFKxl5JVygBUAX4wYKU+IFx sMf4546fw5z3ocT3clmCfEJLzpgzqAu2ch3haYtZfmym88MwC1BEl5GQQOI6OgKU Z679EY1ucnqV3jH5wuBBFPfjGAK5anZf5hILLXHihlhbM2NknDptPQ4FWg10kH7J oqIIeg0khUan3X0cX5E55YtbzQojAewkcjV08y1mxFsKKvrujpy+Ph9WU2Amp4xW PFpKP0DNEcV3TznS1FDfvBSHjiMuEyWPuXPFcjTlgXJZb2yJuZig2EmqW5JK9WHH XoOK5CAm5RAQlAnae7TqN62UjQ37fAh7nF9DM4cTt5/H22nyViw4y0oYMCLYZRNs Ap8dyn2u8L4l6R1lHVBhgKW5bmUKnp0mQa5fKGzmgpqZDr3ImltlBKHzTM8uJaK9 /ohkpnEFR/slIeHoGAP4La4V6DKaOgjS8eeM5aSdXnVsafjIBFTO1FN0Etoonx4u CxSzaS2swAJ/A7ylE4F8RDIYBrszyVgytrDfg5l4wnsrDClib1pryMXVarb29yXw lQ2KceIurTpx6KDMR7tttzCS76VtKsP6ATB6d8J1icZ77ZZBuTOqUgF1tb5qlVgc y/FhQy30rbpiMjs8wAxziSqMOEpbitFyqdR9c51ZfFPYHhevvvY= =paOL -----END PGP SIGNATURE-----