CVE-2026-50256

Vulnerability

A stack-based buffer overflow flaw exists in the X.Org X server and Xwayland due to a mismatch in maximum font name length between the X server and the libXfont2 library during font alias resolution. The X server allocates a 256-byte stack buffer, but libXfont2's alias target name can be up to 1024 bytes. A font alias name between 257 and 1023 bytes triggers the overflow when copied into the undersized buffer without checks. Affected versions include xorg-x11-server <= 21.1.22 and xorg-x11-server-Xwayland <= 24.1.9 [3].

Exploitation

An attacker can trigger this vulnerability by connecting to the X server with any X client that can initiate font alias resolution. The attacker needs to provide a crafted font alias name that falls within the size range causing the buffer overflow. This can be achieved without special privileges or user interaction, as long as the client can connect to the server [3].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service by crashing the X server. Furthermore, if the X server is running with root privileges, this flaw can be leveraged for privilege escalation, allowing an attacker to gain elevated access to the system [3].

Mitigation

This vulnerability is fixed in xorg-server version 21.1.23 and xwayland version 24.1.12 [2, 3]. The fix is available via the commit referenced in [4]. No workarounds are described in the available references. The affected components are X.Org X server and Xwayland [2].