A high-severity stack buffer overflow in X.Org X server and Xwayland can let a local X client crash the display server or escalate privileges when X runs as root.
Impact
CVE-2026-50256 is a high-severity stack-based buffer overflow in the X.Org X server and Xwayland. Patch now.
The flaw affects font alias resolution. A malicious X client that can connect to the server can trigger the bug. The result can be denial of service. In higher-risk deployments, it can become local privilege escalation if the X server runs as root.
The NVD record lists a CVSS 3.1 base score of 7.8, High. The vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Red Hat is the CNA source. The weakness is CWE-121, stack-based buffer overflow.
Affected Products
Affected upstream components include X.Org X server before 21.1.23 and Xwayland before 24.1.12. Red Hat Bugzilla lists affected package components as xorg-x11-server and xorg-x11-server-Xwayland, with fixes upstream in xorg-server-21.1.23 and xwayland-24.1.12.
NVD also lists affected Red Hat Enterprise Linux configurations for RHEL 7, 8, 9, and 10, plus vulnerable X.Org X server and Xwayland CPE entries. Administrators should rely on their distribution advisories for exact package names, backported fixes, and release-specific errata.
Check these sources:
Technical Details
The vulnerable path handles font aliases. The failure is a size mismatch between the X server and libXfont2.
The X server allocates a 256-byte stack buffer. libXfont2 permits an alias target name up to 1024 bytes. A crafted font alias name between 257 and 1023 bytes can be copied into the undersized stack buffer without sufficient bounds checks.
That is the core issue. The trust boundary is local X client access.
X11 is old infrastructure. It was designed around a model where clients that can connect to the display server have broad interaction with the session. That matters here. An attacker does not need remote network reachability to the X server if they already have a path to run or place an X client in the user session. Local shell access, compromised desktop applications, exposed X sockets in containers, unsafe xhost use, or forwarded display access can all raise exposure.
The practical exploit path depends on deployment. If Xorg is rootless, exploitation may still crash the display server and kill active graphical sessions. If Xorg runs as root, successful exploitation may allow privilege escalation from a local client context to root-level code execution. That is why this flaw carries high confidentiality, integrity, and availability impact in the CVSS vector.
Xwayland is also in scope. Wayland-native compositors reduce some historical X11 attack surface, but Xwayland exists to support X11 clients under Wayland sessions. Systems that assume Wayland alone removes exposure should verify whether Xwayland is installed, running, and patched.
Mitigation
Install vendor updates immediately. Use distribution packages first. Do not compile ad hoc fixes on managed fleets unless that is already your standard emergency process.
Target fixed upstream versions:
- X.Org X server 21.1.23 or later.
- Xwayland 24.1.12 or later.
On Red Hat systems, monitor the Red Hat CVE advisory, package errata, and repository metadata. On other Linux distributions, check the vendor security tracker for xorg-server, xserver-xorg-core, xwayland, or equivalent package names.
Until patches are installed:
- Restrict local user access on graphical systems.
- Disable unsafe
xhost +configurations. - Do not expose
/tmp/.X11-unixinto untrusted containers. - Do not share
XAUTHORITYfiles with untrusted workloads. - Avoid running untrusted X clients on privileged workstations.
- Confirm whether Xorg runs as root.
- Prefer patched Wayland and Xwayland packages where X11 compatibility is required.
These steps reduce exposure. They do not replace the fix.
Detection And Response
Inventory first. Identify systems with X.Org X server or Xwayland installed. Prioritize multi-user Linux workstations, jump hosts with graphical sessions, lab systems, kiosks, VDI images, and developer machines that run containers with access to the host display.
Check package versions with the native package manager. Examples include rpm -q xorg-x11-server-Xorg xorg-x11-server-Xwayland on RPM-based systems and dpkg -l xserver-xorg-core xwayland on Debian-based systems. Package version numbers may not match upstream versions when vendors backport patches, so compare against vendor advisories, not only upstream release numbers.
Investigate suspicious local activity. Watch for unexpected X server crashes, repeated graphical session resets, abnormal Xwayland failures, or local users launching unusual X clients near crash times. These are not proof of exploitation. They are triage signals.
Timeline
June 5, 2026: Red Hat Bugzilla created tracking bug 2485380 for CVE-2026-50256.
June 5, 2026: NVD received and published the CVE record.
June 8, 2026: NVD added initial analysis, including affected Red Hat Enterprise Linux CPEs and upstream affected version ranges.
June 11, 2026: Public records identify fixed upstream releases as X.Org X server 21.1.23 and Xwayland 24.1.12.
Required Action
Treat this as a local privilege escalation risk on systems where Xorg runs as root. Treat it as a session-killing denial-of-service risk everywhere else.
Patch X.Org X server and Xwayland. Remove unsafe X access patterns. Verify package status across Linux workstation and desktop fleets.
Comments
Please log in or register to join the discussion