X.Org has released security updates for both X.Org Server and Xwayland, addressing multiple vulnerabilities. The new releases are X.Org Server 21.1.23 and Xwayland 24.1.12. The advisory states that versions prior to these are affected. CVE identifiers were requested but not assigned before public disclosure.
The advisory lists nine security issues, including stack-based buffer overflows, use-after-free flaws, out-of-bounds read and write bugs, and information disclosure vulnerabilities. Affected components include Font Alias handling, XSYNC, XKB, GLX, CreateSaverWindow, and DRI2.
One fixed issue is a Font Alias stack-based buffer overflow resulting from a mismatch in maximum font name length between the X server and libXfont2. The X server allocates a 256-byte stack buffer, while libXfont2 permits alias target names up to 1024 bytes. As a result, a font alias name between 257 and 1023 bytes could overflow the X server buffer.
Several flaws affect XSYNC. The advisory describes use-after-free issues in miSyncDestroyFence(), FreeCounter(), and SyncChangeCounter(). In each case, a client can create synchronization objects and trigger unsafe behavior by using additional client connections to destroy or modify those objects.
XKB is affected by two stack-based buffer overflow issues. One involves key type handling and is described as an incomplete fix for CVE-2025-26597. The other affects the XKB SetMap request path, where a fixed-length stack buffer can be written out of bounds through a client-controlled key type index.
The GLX flaw involves ChangeDrawableAttributes and can cause out-of-bounds reads or writes. The advisory notes that the read path may lead to information disclosure, while the write path can crash the server or potentially allow privilege escalation if the X server runs as root. The write path requires byte-swapped clients, which are disabled by default.
Another fixed bug is a CreateSaverWindow use-after-free issue that can expose information after a client changes window attributes and activates the screen saver. The final issue affects DRI2, where certain DRIGetBuffers or DRIGetBuffersWithFormat requests can trigger an out-of-bounds heap write.
For additional details, see the announcement.
Users should install the updated packages as soon as they are available from their Linux distribution.
Nice to read.
I switched to Xlibre and No systemd, btw 😉