- Product: X.Org (2 products)
- Vulnerabilities: 2 flaws (CVE-2026-55999, CVE-2026-56000)
- Highest severity: 9 (Critical · CVSSv4)
- Worst impact: / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent()
- Status: No confirmed exploitation yet; patches available
- Action: Update to 21.1.24, 24.1.13 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-56000 | 9 | / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() | 21.1.24, 24.1.13 | Not exploited |
| CVE-2026-55999 | 8.5 | CWE-122 | 21.1.24, 24.1.13 | Not exploited |
TL;DR
X.Org shipped fixes for two memory-safety flaws in the X.Org Server and Xwayland. The more severe one, CVE-2026-56000, is a use-after-free rated CVSS 9.0. The second, CVE-2026-55999, is a heap buffer overflow rated 8.5. Trend Micro’s Zero Day Initiative reported both, and no public exploit or in-the-wild abuse has been confirmed.
Why it matters
The X.Org Server still drives many Linux desktops and multi-user hosts. An authenticated X client can trigger both bugs with a small set of requests. Because any connected client already holds broad access, memory corruption here can end in a crash or code execution. Moreover, these flaws continue a steady run of X.Org memory-safety issues that ZDI researchers have surfaced this year.
How the attack works
CVE-2026-56000 sits in the GLX dispatch layer. A malicious client fills every context-tag slot, then forces a reallocation while an old pointer still references freed memory. A later free then writes zeros into that stale slot. The whole sequence needs only a few dozen X11 requests.
The second flaw, CVE-2026-55999, is a heap buffer overflow in glamor font handling. A crafted PCF font with oversized glyph metrics overflows its texture atlas slot. As a result, an attacker controls both the size and the content of the overflow. Only servers using the glamor backend, such as Xorg with the modesetting driver and Xwayland, are affected.
Affected versions
Both flaws affect xorg-server before 21.1.24 and Xwayland before 24.1.13. The use-after-free also sits on the main and the discontinued master branch. Distributions that backported one specific GLX commit to the 21.1.x series are affected as well.
Patch and mitigation
Update to xorg-server-21.1.24 and xwayland-24.1.13 right away. Your distribution’s package manager is usually the fastest route. For the full technical write-up, read the X.Org advisory posted to the oss-security list. Until the patch lands, limit untrusted local X clients where you can.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.