Description
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Published: 2026-06-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the X.Org X server and Xwayland; the bug is triggered when a client changes key types to excessive shift levels, bypassing a check that limits the number of shift levels to XkbMaxShiftLevel. The overflow can crash the server or, if the X server runs as root, allow an attacker to execute arbitrary code and gain root privileges.

Affected Systems

Red Hat Enterprise Linux 6 through 10 are affected because the vulnerability resides in the X.Org X server component shipped with these distributions. Any system that runs the X server or Xwayland under these RHEL versions is potentially vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker who can send malformed key type commands over the X protocol; this may be done locally or remotely if the X server exposes a network connection. If the X server is executed as root, the overflow can be leveraged for privilege escalation. The absence of an official workaround means patching is the only effective defense.

Generated by OpenCVE AI on June 5, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Security Advisory patch that corrects the key‑type bounds check in the X server.
  • Ensure the X server is not run with root privileges; use a non‑root wrapper or a rootless X session if it must be accessed remotely.
  • Restrict untrusted client connections by configuring .xauthority files, using xhost or firewalls to limit DISPLAY access to trusted hosts.

Generated by OpenCVE AI on June 5, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Title Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb key types due to unchecked shift levels
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-121
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-05T10:31:39.316Z

Reserved: 2026-06-04T14:55:24.011Z

Link: CVE-2026-50258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T12:16:39.070

Modified: 2026-06-05T13:27:38.750

Link: CVE-2026-50258

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-50258 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T12:30:40Z

Weaknesses