Eight new security issues have now been made public around the X.Org Server codebase that also impact XWayland.
The Trend Micro Zero Day Initiative has once again uncovered a trove of security issues within the X.Org Server codebase… Some of these vulnerabilities are very old and date back to X11R5 that was released all the way back in 1991.
The newly-published X.Org Server vulnerabilities include:
CVE-2025-26594: Use-after-free of the root cursor
CVE-2025-26595: Buffer overflow in XkbVModMaskText()
CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
CVE-2025-26600: Use-after-free in PlayReleasedEvents()
CVE-2025-26601: Use-after-free in SyncInitTrigger()
XWayland 24.1.6 and X.Org Server 21.1.16 have been released to address these newly-disclosed vulnerabilities. More details within this mailing list announcement with more details on these now public vulnerabilities.
It’s been 12 years since a security researcher noted that the X.Org Server security is even “worse than it looks” and all this time later more bugs continue to be uncovered within this large, aging, and little maintained codebase.
