The X.Org Server 21.1.17 and XWayland 24.1.7 point releases were issued today to fix the latest batch of security issues.
Security researchers Nils Emmerich and Julian Suleder have been tracking down the latest batch of security issues affecting the X.Org Server and XWayland. These researchers from Germany’s ERNW security firm tracked down six more issues with the X.Org Server codebase:
CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors)
CVE-2025-49176: Integer overflow in Big Requests Extension
CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
CVE-2025-49178: Unprocessed client request via bytes to ignore
CVE-2025-49179: Integer overflow in X Record extension
CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty)
All six of these security issues date back years in the codebase. These issues were then fixed in the X.Org Server / XWayland codebase by Red Hat engineer Olivier Fourdan and are now resolved with X.Org Server 21.1.17 / XWayland 24.1.7. More details via the xorg-announce message.
ERNW also put out a blog post about these latest security issues on their security blog:
“The X11 Window System has been used since September 1987 for Unix desktop systems, allowing applications to display their windows. Today, one of the server implementations of the protocol is the X.Org X server and XWayland, which both use the same codebase. While reviewing the X server, several legacy security issues were identified. These appear to originate from earlier design stages when security considerations were less prominent. Despite the project’s maturity and widespread use, some of these issues have persisted.
…
The X.Org X server is a aged and large project that grew over time with the help of the open-source community. All of these issues gave me a feeling that the source code itself can best describe: party_like_its_1989 = TRUE;”
More details in the blog post over at Insinuator.net.
