X.Org has just issued fresh security updates for both the X.Org server and Xwayland, fixing five newly disclosed vulnerabilities in the aging yet still-maintained display stack.
These issues affect X.Org server versions before 21.1.22 and Xwayland versions before 24.1.10. The vulnerabilities, listed as CVE-2026-33999 through CVE-2026-34003, include an XKB integer underflow, two XKB out-of-bounds reads, an XSYNC use-after-free, and an XKB buffer overflow.
The updated versions are xorg-server 21.1.22 and xwayland 24.1.10. This is important because, even though most Linux desktop development now focuses on Wayland, X.Org is still being maintained. Of course, instead of new features, we are talking here only about keeping the code secure through regular maintenance.
Regardless, this ongoing support is important for many users because Xwayland remains a key part of today’s Linux desktops. Even on systems that mainly use Wayland, Xwayland is often needed to run X11 applications. So, security issues in the shared code affect not only X.Org users but also those using Wayland who rely on Xwayland for compatibility.
To sum up, X.Org still receives occasional patches, mainly because new security flaws keep appearing in its aging codebase, and, for good or bad, part of the Linux desktop ecosystem still relies on some of its legacy infrastructure.
For more details, see the announcements here and here. CVE’s details are here.
