X.Org Security Advisory released for 9 new vulnerabilities in X.Org X server and Xwayland

By Liam Squires-Hand - 2 Jun 2026 at 7:41 am UTC

Last updated: 2 Jun 2026 at 10:09 am UTC

Here we are again - X.Org X server and Xwayland have new security issues that have been revealed and patched in new versions released.

Announced by developer Peter Hutterer on June 2nd, xorg-server 21.1.23 and xwayland 24.1.12 have been released to fix up the problems (along with some other minor bug fixes in each). Most of the issues were found with the help of TrendAI, so we're seeing AI help more and more with discovering security issues across various open source projects.

We last had some security issues revealed back in April, and before that in October 2025.

From the mailing list these are the new issues noted:

* Font Alias Stack-based Buffer Overflow

A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)

* XSYNC Use-After-Free in miSyncDestroyFence()

A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)

* XKB Key Types Stack-based Buffer Overflow

The X server has multiple stack buffers that are sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger three separate stack overflows.

This is caused by an incomplete fix of CVE-2025-26597.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)

* XKB SetMap Request Stack-based Buffer Overflow

_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)

* XSYNC Use-After-Free in FreeCounter()

A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)

* XSYNC Use-After-Free in SyncChangeCounter()

A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)

* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write

A wrong size validation check in __glXDisp_ChangeDrawableAttributes() can read (or write) a client-controlled number of bytes, exceeding the request buffer.

The write path requires byte-swapped clients which is disabled by default.

The read can lead to information disclosure, the write can be used to crash the server, or for privilege escalation if the X server runs as root.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)

* CreateSaverWindow Use-After-Free Information Disclosure

A client can trigger a use-after-free read after changing window attributes and forcing the screen saver. This can lead to information disclosure.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)

* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write

A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write.

Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.

Source: Mailing List

Article taken from GamingOnLinux.com.

Tags: Security, Misc, Open Source

6 Likes

About the author - Liam Squires-Hand

I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me

Some you may have missed, popular articles from the last month:

The Witcher 3: Wild Hunt - Songs of the Past DLC announced

Path of Exile 2 should hopefully be Steam Deck Verified with the next major update

The owners of Fandom and Gamespot want to acquire Balatro publisher Playstack

Unreal Engine 5.8 adds experimental Steam Frame support, Qualcomm give the Steam Frame a dedicated page

All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.

3 comments

Mountain Man 8 hours ago

Flag

This is the right way to use AI, as a tool to find problems, not to fix them.

4 Likes

Huddle 6 hours ago

Flag

Does this apply to XLibre as well?

1 Likes

Turkeysteaks 1 hour ago

Flag

Supporter

View PC info

I think it's important to note that a bug/security hole being attributed TrendAI Zero Day Initiative is not necessarily found because of AI. It is an initiative that has been going for much longer than AI has been around (The company rebranded from Trend to TrendAI though).
It is a system that allows people to essentially get paid for finding security flaws; it is a bug bounty program. I'm sure several ARE found with AI or the help of AI tools (as TrendAI themselves do a huge amount of cybersecurity, some of which is with AI). But the bugs attributed to TrendAI may not even be from the company themselves - my understanding is essentially anyone can submit a found bug through this program.

Because it pays the contributers, a much larger percentage of the bugs are going to be 'found' through TrendAI - if you find a bug, are you going to tell the organisation directly, or go through a method where you'll be rewarded for it?

The initiative also works as a source of truth and trust for the organisations that use it - they're not going to be spammed with slop PRs for bugs that are already known, for example.
Clearly AI is having a big impact on this however, as it feels like every single week a new vulnerability is found these days.

Just something I wanted to share and feel important to mention!

The crux of this being that TrendAI aren't the only ones contributing to the TrendAI Zero Day Initiative.

2 Likes

While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations:

PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!