[oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland

Olivier Fourdan Tue, 14 Apr 2026 09:02:56 -0700

======================================================================
X.Org Security Advisory: April 14, 2026


Issues in X.Org X server prior to 21.1.22 and Xwayland prior to 24.1.10
======================================================================

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.22 and xwayland-24.1.10.


* CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()

   If a "compat" buffer was previously truncated, there will be unused
   space left in the buffer. The code in XkbSetCompatMap() will use that
   space, but fails to update the number of valid entries actually in the
   buffer.

   As a result, that can lead to buffer read overrun when processing a
   future request.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae17
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()

   Each key alias entry contains two key names (the alias and the real
   key name).

   The code in CheckSetGeom() does its bounds checking using only the
   first name, allowing XkbAddGeomKeyAlias to read uninitialised memory.

   Introduced in: xorg-server-21.1.4 and xwayland-22.1.3
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()

   When walking the list of fences to trigger, miSyncTriggerFence() may
   call TriggerFence() for the current trigger, which end up calling the
   function SyncAwaitTriggerFired().

   SyncAwaitTriggerFired() frees the entire await resource, which removes
   all triggers from that await, including the next entries in the list
   of fences, leading to a use-after-free.

   Introduced in: xorg-server-1.9.0
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94b
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()

   CheckModifierMap() reads from the wire in a loop without verifying that
   the data remains within the bounds of the client request.

   As a result, the total number of keys could exceed the actual data
   provided, causing a potential read of uninitialised memory.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1c
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()

   The function CheckKeyTypes() will loop over the client's request but
   won't perform any additional bound checking to ensure that the data
   read remains within the request bounds.

   As a result, a specifically crafted request may cause CheckKeyTypes()
   to read uninitialised memory past the request data.

   Introduced in: Prior to X11R6.6 Xorg baseline
   Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
   Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd
        https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563f
   Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.

[oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland

Reply via email to