X.Org X server and Xwayland security advisory released for multiple issues

Time to get ready to run some system upgrades, as the X.Org X server and Xwayland developers have released a security advisory due to multiple issues.

Newly released are xorg-server-21.1.22 and xwayland-24.1.10 which contain fixes for the issues, all versions prior are vulnerable so you'll want to ensure you're up to date.

From the mailing list here's what they detailed:

* CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()

If a "compat" buffer was previously truncated, there will be unused space left in the buffer. The code in XkbSetCompatMap() will use that space, but fails to update the number of valid entries actually in the buffer.

As a result, that can lead to buffer read overrun when processing a future request.

Introduced in: Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae17
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()

Each key alias entry contains two key names (the alias and the real key name).

The code in CheckSetGeom() does its bounds checking using only the first name, allowing XkbAddGeomKeyAlias to read uninitialised memory.

Introduced in: xorg-server-21.1.4 and xwayland-22.1.3
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()

When walking the list of fences to trigger, miSyncTriggerFence() may call TriggerFence() for the current trigger, which end up calling the function SyncAwaitTriggerFired().

SyncAwaitTriggerFired() frees the entire await resource, which removes all triggers from that await, including the next entries in the list of fences, leading to a use-after-free.

Introduced in: xorg-server-1.9.0
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94b
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()

CheckModifierMap() reads from the wire in a loop without verifying that the data remains within the bounds of the client request.

As a result, the total number of keys could exceed the actual data provided, causing a potential read of uninitialised memory.

Introduced in: Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1c
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.

* CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()

The function CheckKeyTypes() will loop over the client's request but won't perform any additional bound checking to ensure that the data read remains within the request bounds.

As a result, a specifically crafted request may cause CheckKeyTypes() to read uninitialised memory past the request data.