CVE-2026-50260

Vulnerability

A use-after-free flaw exists in the FreeCounter() function within the X.Org X server and Xwayland. This vulnerability affects X.Org X server versions prior to 21.1.23 and Xwayland versions prior to 24.1.12 [2, 4]. The issue occurs when a client sets up multiple SyncCounters, awaits them, and then a second client connection destroys these counters, leading to a use-after-free condition [4].

Exploitation

An attacker can exploit this vulnerability by establishing two client connections to the X server. The first connection is used to set up multiple SyncCounters and await their triggers. The second connection then destroys these counters, triggering the use-after-free vulnerability. No special privileges or network position are required beyond the ability to connect to the X server [4].

Impact

Successful exploitation of this vulnerability can lead to a crash of the X.Org X server. Furthermore, if the X server is running with root privileges, this flaw may be leveraged for privilege escalation, allowing an attacker to gain elevated access to the system [4].

Mitigation

This vulnerability has been fixed in X.Org X server version 21.1.23 and Xwayland version 24.1.12 [2, 4]. Users are advised to update to these fixed versions. No workarounds are mentioned in the available references. The Red Hat advisory indicates that CVEs were requested but not assigned in time for their disclosure [2].