Description
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Published: 2026-06-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the X.Org X server and Xwayland; the bug is triggered when a client changes key types to excessive shift levels, bypassing a check that limits the number of shift levels to XkbMaxShiftLevel. The overflow can crash the server or, if the X server runs as root, allow an attacker to execute arbitrary code and gain root privileges.

Affected Systems

Red Hat Enterprise Linux 6 through 10 are affected because the vulnerability resides in the X.Org X server component shipped with these distributions. Any system that runs the X server or Xwayland under these RHEL versions is potentially vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker who can send malformed key type commands over the X protocol; this may be done locally or remotely if the X server exposes a network connection. If the X server is executed as root, the overflow can be leveraged for privilege escalation. The absence of an official workaround means patching is the only effective defense.

Generated by OpenCVE AI on June 5, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Security Advisory patch that corrects the key‑type bounds check in the X server.
  • Ensure the X server is not run with root privileges; use a non‑root wrapper or a rootless X session if it must be accessed remotely.
  • Restrict untrusted client connections by configuring .xauthority files, using xhost or firewalls to limit DISPLAY access to trusted hosts.

Generated by OpenCVE AI on June 5, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9
References

Wed, 24 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8
References

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.2
References

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8::crb
cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
References

Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8::appstream
References

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared X.org xwayland
CPEs cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:xwayland:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products X.org xwayland

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared X.org
X.org x Server
Vendors & Products X.org
X.org x Server

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Title Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb key types due to unchecked shift levels
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-121
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux
X.org X Server Xwayland
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T13:16:16.829Z

Reserved: 2026-06-04T14:55:24.011Z

Link: CVE-2026-50258

cve-icon Vulnrichment

Updated: 2026-06-08T15:54:57.873Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T12:16:39.070

Modified: 2026-06-08T16:46:48.723

Link: CVE-2026-50258

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-50258 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:17:10Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow