CVE-2025-26601 - Vulnerability Details

- Xorg: xwayland: use-after-free in syncinittrigger()

Description

A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.

Published: 2025-02-25

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free vulnerability exists in the X.Org Server and Xwayland components; the flaw is triggered when an alarm is altered, causing the SyncInitTrigger() function to be invoked after error handling that may leave a dangling pointer, potentially allowing an attacker who can manipulate alarm parameters to corrupt memory and execute arbitrary code, jeopardizing confidentiality, integrity, and availability.

Affected Systems

The flaw impacts Red Hat Enterprise Linux releases 6, 7, 8, 9, and 10, including their extended support branches such as RHEL ELS, RHEL EUS, and RHEL TUS, as well as the X.org and Xwayland packages used by Red Hat and third‑party distributions; it also touches Tigervnc when bundled with these components, with no specific product or version ranges listed beyond the fact that current installations of the affected X packages are vulnerable until patched.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1 % suggests limited exploitation likelihood; the vulnerability is not currently in the CISA KEV catalogue. An attacker with local access to the X server—or potentially remote access if the X server is exposed—could exploit the use‑after‑free to compromise the system. Without an official workaround, vendors rely on patches for mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 21.1.16
`22.0.0`	affected	< 24.1.6

Red Hat

Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:24.1.5-3.el10_0`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION

affected

Version	Status	Constraints
`0:1.1.0-25.el6_10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:1.8.0-36.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:1.20.4-30.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:1.13.1-15.el8_10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.2 Advanced Update Support

affected

Version	Status	Constraints
`0:1.9.0-15.el8_2.13`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:1.11.0-8.el8_4.12`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Telecommunications Update Service

affected

Version	Status	Constraints
`0:1.11.0-8.el8_4.12`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:1.11.0-8.el8_4.12`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:1.12.0-6.el8_6.13`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Telecommunications Update Service

affected

Version	Status	Constraints
`0:1.12.0-6.el8_6.13`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:1.12.0-6.el8_6.13`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.8 Extended Update Support

affected

Version	Status	Constraints
`0:1.12.0-15.el8_8.12`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:1.14.1-1.el9_5.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:1.20.11-28.el9_6`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:23.2.7-3.el9_6`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:1.11.0-22.el9_0.13`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.2 Extended Update Support

affected

Version	Status	Constraints
`0:1.12.0-14.el9_2.10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.4 Extended Update Support

affected

Version	Status	Constraints
`0:1.13.1-8.el9_4.5`	unaffected	< *

Red Hat Red Hat Enterprise Linux 6 unknown —

Red Hat Red Hat Enterprise Linux 8 unaffected —

Configuration 1 [-]

cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:x.org:x_server::::::::
	cpe:2.3:a:x.org:xwayland::::::::

Configuration 3 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
xorg-x11-server-Xwayland-0:24.1.5-3.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:7458	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
tigervnc-0:1.8.0-36.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:2861	2025-03-17T00:00:00Z
xorg-x11-server-0:1.20.4-30.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:2879	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8
tigervnc-0:1.13.1-15.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:2502	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
tigervnc-0:1.9.0-15.el8_2.13	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:2866	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
tigervnc-0:1.11.0-8.el8_4.12	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:2865	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
tigervnc-0:1.11.0-8.el8_4.12	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:2865	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
tigervnc-0:1.11.0-8.el8_4.12	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:2865	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
tigervnc-0:1.12.0-6.el8_6.13	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:2880	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
tigervnc-0:1.12.0-6.el8_6.13	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:2880	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
tigervnc-0:1.12.0-6.el8_6.13	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:2880	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
tigervnc-0:1.12.0-15.el8_8.12	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:2862	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 9
tigervnc-0:1.14.1-1.el9_5.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:2500	2025-03-10T00:00:00Z
xorg-x11-server-0:1.20.11-28.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7163	2025-05-13T00:00:00Z
xorg-x11-server-Xwayland-0:23.2.7-3.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7165	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
tigervnc-0:1.11.0-22.el9_0.13	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:2873	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
tigervnc-0:1.12.0-14.el9_2.10	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:2874	2025-03-17T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
tigervnc-0:1.13.1-8.el9_4.5	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:2875	2025-03-17T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Apply the Red Hat security updates that contain the fix for this issue (for example, RHSA‑2025:2500 and RHSA‑2025:2502).
Remove or upgrade any unpatched X.org and Xwayland packages to the updated versions provided in the errata.
If a patch cannot be applied immediately, disable Xwayland or restrict X server access to trusted local users to avoid triggering the use‑after‑free.

Generated by OpenCVE AI on April 28, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4072-1	xorg-server security update
Debian DSA	DSA-5872-1	xorg-server security update
EUVD	EUVD-2025-5426	A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Ubuntu USN	USN-7299-1	X.Org X Server vulnerabilities
Ubuntu USN	USN-7299-2	X.Org X Server vulnerabilities
Ubuntu USN	USN-7299-4	X.Org X Server regression

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:2500
https://access.redhat.com/errata/RHSA-2025:2502
https://access.redhat.com/errata/RHSA-2025:2861
https://access.redhat.com/errata/RHSA-2025:2862
https://access.redhat.com/errata/RHSA-2025:2865
https://access.redhat.com/errata/RHSA-2025:2866
https://access.redhat.com/errata/RHSA-2025:2873
https://access.redhat.com/errata/RHSA-2025:2874
https://access.redhat.com/errata/RHSA-2025:2875
https://access.redhat.com/errata/RHSA-2025:2879
https://access.redhat.com/errata/RHSA-2025:2880
https://access.redhat.com/errata/RHSA-2025:3976
https://access.redhat.com/errata/RHSA-2025:7163
https://access.redhat.com/errata/RHSA-2025:7165
https://access.redhat.com/errata/RHSA-2025:7458
https://access.redhat.com/security/cve/CVE-2025-26601
https://bugzilla.redhat.com/show_bug.cgi?id=2345251
https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html
https://nvd.nist.gov/vuln/detail/CVE-2025-26601
https://security.netapp.com/advisory/ntap-20250516-0004/
https://www.cve.org/CVERecord?id=CVE-2025-26601

History

Mon, 06 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:rhel_els:6
References		https://access.redhat.com/errata/RHSA-2025:3976

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html

Fri, 16 May 2025 23:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250516-0004/

Tue, 13 May 2025 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:7458

Tue, 13 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::crb
References		https://access.redhat.com/errata/RHSA-2025:7163 https://access.redhat.com/errata/RHSA-2025:7165

Thu, 08 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:x.org:x_server:-:::::::* cpe:2.3:a:x.org:xwayland:-:::::::*	cpe:2.3:a:x.org:x_server:::::::: cpe:2.3:a:x.org:xwayland::::::::

Mon, 17 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6

Mon, 17 Mar 2025 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~	cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_e4s:9.0::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2025:2861 https://access.redhat.com/errata/RHSA-2025:2866 https://access.redhat.com/errata/RHSA-2025:2873 https://access.redhat.com/errata/RHSA-2025:2879 https://access.redhat.com/errata/RHSA-2025:2880

Mon, 17 Mar 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_tus:8.4::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:2865 https://access.redhat.com/errata/RHSA-2025:2874 https://access.redhat.com/errata/RHSA-2025:2875

Mon, 17 Mar 2025 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:8.8::appstream
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:2862

Tue, 11 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9

Mon, 10 Mar 2025 13:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2025:2500 https://access.redhat.com/errata/RHSA-2025:2502

Tue, 04 Mar 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tigervnc Tigervnc tigervnc X.org X.org x Server X.org xwayland
CPEs		cpe:2.3:a:tigervnc:tigervnc:-:::::::* cpe:2.3:a:x.org:x_server:-:::::::* cpe:2.3:a:x.org:xwayland:-:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
Vendors & Products		Tigervnc Tigervnc tigervnc X.org X.org x Server X.org xwayland

Wed, 26 Feb 2025 02:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-26601 https://www.cve.org/CVERecord?id=CVE-2025-26601
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 25 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Title		Xorg: xwayland: use-after-free in syncinittrigger()
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-416
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-26601 https://bugzilla.redhat.com/show_bug.cgi?id=2345251
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Tigervnc Tigervnc

X.org X Server Xwayland

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-02-25T15:55:36.775Z

Updated: 2026-04-06T12:53:35.517Z

Reserved: 2025-02-12T14:12:22.796Z

Link: CVE-2025-26601

Vulnrichment

Updated: 2025-11-03T21:13:09.542Z

NVD

Status : Modified

Published: 2025-02-25T16:15:39.537

Modified: 2026-04-06T13:17:17.303

Link: CVE-2025-26601

Redhat

Severity : Important

Publid Date: 2025-02-25T00:00:00Z

Links: CVE-2025-26601 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object