CVE-2026-55999

X.Org · xorg-server

A heap-based buffer overflow exists in xorg-server and xwayland, which could allow a local attacker with an X connection to execute arbitrary code.

Executive summary

A heap-based buffer overflow in X.Org xorg-server and xwayland allows local attackers to potentially escalate privileges or execute arbitrary code on the host system.

Vulnerability

This is a heap-based buffer overflow (CWE-122) triggered when the X server processes maliciously crafted PCX fonts provided by a local attacker with an active X connection.

Business impact

This vulnerability is highly severe as it allows for memory corruption, which can lead to system crashes or arbitrary code execution with the privileges of the X server. Given the CVSS score of 8.5, this poses a significant risk to the integrity and availability of the host operating system, particularly in multi-user environments.

Remediation

Immediate Action: Update xorg-server to version 21.1.24 or later, and xwayland to version 24.1.13 or later.

Proactive Monitoring: Monitor system logs for crashes related to the X server or abnormal memory usage patterns in graphical processes.

Compensating Controls: Restrict access to the X server to authorized users only and ensure that untrusted users are not permitted to establish direct X connections to the graphical session.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Local privilege escalation vulnerabilities in critical display infrastructure like xorg-server require immediate attention. Organizations should prioritize updating these packages across all affected Linux/Unix workstations and servers to mitigate the risk of local system compromise.