High severity7.8NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-50261

Description

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Affected products

Xorg/Xserverinferred
Xorg/X serverllm-create
Xorg/Xwaylandllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

access.redhat.com/security/cve/CVE-2026-50261nvd
bugzilla.redhat.com/show_bug.cginvd
gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812nvd
lists.x.org/archives/xorg-announce/2026-June/003702.htmlnvd
redhat.atlassian.net/browse/PSIRTSUPT-16950nvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000