X.Org has recently published corrective releases for X.Org Server 21.1.22 and the DDX component xwayland 24.1.10, aimed at fixing five vulnerabilities. The xwayland component allows for the launch of the X.Org Server to facilitate the execution of X11 applications in Wayland-based environments. These new versions address vulnerabilities that could potentially be exploited for privilege escalation on systems where the X server is running as root, as well as for remote code execution in configurations that use X11 session redirection via SSH for access.
The vulnerabilities that have been fixed include:
- CVE-2026-34001 – a memory access after freeing (Use-after-free) vulnerability in the miSyncTriggerFence() function, present since the release of xorg-server 1.9.0 in 2010.
- CVE-2026-33999 – an integer underflow vulnerability in the XkbSetCompatMap() function, leading to reading data from an area outside the buffer when processing specially crafted requests, dating back to the release of X11R6.6 in 2001.
- CVE-2026-34000 – an out-of-buffer read vulnerability in the XkbAddGeomKeyAlias function, due to a failure to check whether the size of the passed key name matches the allocated buffer, appearing with the releases of xorg-server 21.1.4 and xwayland 22.1.3 in 2022.
- CVE-2026-34002 – an out-of-buffer read vulnerability in the CheckModifierMap() function, dating back to the release of X11R6.6 in 2001.
- CVE-2026-34003 – a buffer overflow vulnerability in the XKB function CheckKeyTypes(), also present since the release of X11R6.6 in 2001.
/Reports, release notes, official announcements.