Support us on Patreon
PayPalTime to get ready to run some system upgrades, as the X.Org X server and Xwayland developers have released a security advisory due to multiple issues.
Newly released are xorg-server-21.1.22 and xwayland-24.1.10 which contain fixes for the issues, all versions prior are vulnerable so you'll want to ensure you're up to date.
From the mailing list here's what they detailed:
Article taken from GamingOnLinux.com.* CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
If a "compat" buffer was previously truncated, there will be unused space left in the buffer. The code in XkbSetCompatMap() will use that space, but fails to update the number of valid entries actually in the buffer.
As a result, that can lead to buffer read overrun when processing a future request.
Introduced in: Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae17
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.
* CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
Each key alias entry contains two key names (the alias and the real key name).
The code in CheckSetGeom() does its bounds checking using only the first name, allowing XkbAddGeomKeyAlias to read uninitialised memory.
Introduced in: xorg-server-21.1.4 and xwayland-22.1.3
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.
* CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
When walking the list of fences to trigger, miSyncTriggerFence() may call TriggerFence() for the current trigger, which end up calling the function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes all triggers from that await, including the next entries in the list of fences, leading to a use-after-free.
Introduced in: xorg-server-1.9.0
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94b
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.
* CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
CheckModifierMap() reads from the wire in a loop without verifying that the data remains within the bounds of the client request.
As a result, the total number of keys could exceed the actual data provided, causing a potential read of uninitialised memory.
Introduced in: Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.22 and xwayland-24.1.10
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1c
Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative.
* CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()
The function CheckKeyTypes() will loop over the client's request but won't perform any additional bound checking to ensure that the data read remains within the request bounds.
As a result, a specifically crafted request may cause CheckKeyTypes() to read uninitialised memory past the request data.
See more from me
You can also find comments for this article on social media: 
Turkeysteaks 3 hours ago
On the AI side though I am curious. I despise AI, and a new reason to hate it is that some of the latest models (namely Anthropic's Mythos) is *reportedly* incredibly good at finding and exploiting vulnerabilities. I take that with a huge pinch of salt because clearly it's somewhat marketing, but it does worry me. If it ever gets into the wrong hands (and to be clear, I don't really consider Anthropic to be the RIGHT hands...) and it is even half as powerful as they are claiming, it really could be dangerous - I feel even more so for Open Source projects.
Hopefully not though.
I'm a SWE, and while I still avoid AI in my workplace for the most part, my colleagues are not the same - but even the most enthusiastic are starting to feel quite sour about it. Even on the most personal and maybe selfish level, it makes the job... really damn boring. I don't want to be a 'manager', I want to code! (which again, is partly why I refuse to use AI wherever I can)
Quoting: TurkeysteaksNot sure what the 'TrendAI' part of the Zero Day Initiative is, but nice to see that the ZDI seems to be helping.Bad news it has gotten acceptable in finding vulnerabilities in source code and it's already in malicious hands and showing real production gains in cyber crime(although currently for social engineering attacks not bug finding).
On the AI side though I am curious. I despise AI, and a new reason to hate it is that some of the latest models (namely Anthropic's Mythos) is *reportedly* incredibly good at finding and exploiting vulnerabilities. I take that with a huge pinch of salt because clearly it's somewhat marketing, but it does worry me. If it ever gets into the wrong hands (and to be clear, I don't really consider Anthropic to be the RIGHT hands...) and it is even half as powerful as they are claiming, it really could be dangerous - I feel even more so for Open Source projects.
Hopefully not though.
I'm a SWE, and while I still avoid AI in my workplace for the most part, my colleagues are not the same - but even the most enthusiastic are starting to feel quite sour about it. Even on the most personal and maybe selfish level, it makes the job... really damn boring. I don't want to be a 'manager', I want to code! (which again, is partly why I refuse to use AI wherever I can)
Meaning it will target only open source projects.
The only good news is that this'll allow for higher code quality in open source projects.
There's one thing I hope AI'll bring the ability for non-technical people to check source code for backdoors.
Edit:
This basically means openness gets super charged.
Last edited by LoudTechie on 15 Apr 2026 at 12:34 pm UTC
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck