Published Corrective releases of X.Org Server 21.1.19 and DDX component (Device-Dependent X) xwayland 24.1.9, which provides the launch of X.Org Server for organizing the execution of X11 applications in Wayland-based environments. The new versions fix 3 vulnerabilities, which are assigned a severity level of 7.8 out of 10. The problems can potentially be exploited to escalate privileges on systems in which the X server is running as root, as well as for remote code execution in configurations in which access X11 session redirection using SSH is used.
Fixed vulnerabilities:
- CVE-2025-62229 – access to memory after freeing it in the code for creating the XPresentNotify structure. The problem occurs in the implementation of the X11 Present extension and causes a pointer to a remote present_notify object to be left behind if an error occurs while processing and adding notifications after the pixmap is presented. The vulnerability has been evident since the release of Xorg 1.15 (2013).
- CVE-2025-62230 – memory access after freeing when deleting resources for a client in Xkb. The XkbRemoveResourceClient() function freed the memory allocated for the XkbInterest data associated with the device, but left the resources associated with it. The vulnerability has been evident since the release of X11R6 (1994).
- CVE-2025-62231 – Integer overflow in the Xkb extension. In the XkbCompatMap structure, values were stored as an “unsigned short” type, but were not checked for the fact that the input value could exceed the upper bound of this type. The vulnerability has been evident since the release of X11R6 (1994).
Hot on the heels of a maintenance release of X.Org Server 21.1.20 has been completed, which resolves an issue that was causing builds to fail using the Meson build system.