Description
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Published: 2026-06-05
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability exists in X.Org X server and Xwayland within the CreateSaverWindow() function. The flaw allows a client that can manipulate window attributes and force a screen saver to read memory after the object has already been freed. This results in disclosed data from the X server’s address space, a classic use‑after‑free (CWE‑416) that can reveal confidential information that the client cannot normally access.

Affected Systems

The affected products are X.Org X server and Xwayland on Red Hat Enterprise Linux 6, 7, 8, 9 and 10. No specific version numbers are listed in the advisory; any installation of these packages on the mentioned RHEL releases is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a client that can connect to the X server, change window attributes, and force a screen saver. The lack of an EPSS score provides no current estimate of exploitation likelihood, but the described workflow makes the vulnerability usable for information disclosure by an attacker with X client access.

Generated by OpenCVE AI on June 5, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Red Hat security update that patches X.Org X server and Xwayland for CVE‑2026‑50263, ensuring the underlying packages are upgraded to a fixed version.
  • After applying the update, restart the X server or reboot the system so that the patched binaries are loaded.
  • If possible, limit X client connections to trusted local users and disable remote X forwarding while the vulnerability remains active.

Generated by OpenCVE AI on June 5, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Title Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free information disclosure in createsaverwindow()
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-416
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-05T10:36:46.377Z

Reserved: 2026-06-04T14:55:24.012Z

Link: CVE-2026-50263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T12:16:39.927

Modified: 2026-06-05T13:27:38.750

Link: CVE-2026-50263

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-50263 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T12:30:40Z

Weaknesses