The Trend Micro Zero Day Initiative has uncovered three more security vulnerabilities affecting the X.Org Server and the derived XWayland source code.
Olivier Fourdan announced publicly today the newest X.Org Server and XWayland security vulnerabilities uncovered by the Trend Micro Zero Day Initiative. In turn xorg-server 21.1.19 and XWayland 24.1.9 were released as the newest point releases for addressing these security issues.
These newest security vulnerabilities to the X.Org Server include:
CVE-2025-62229: Use-after-free in XPresentNotify structures creation
CVE-2025-62230: Use-after-free in Xkb client resource removal
CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The latter two have been in the X.Org codebase going back to X11R6 while the first one has been present since X.Org Server 1.15. X11R6 first released back in 1994.
More details on these latest security issues can be found via the X.Org announcement.
