CVE-2026-50262

Vulnerability

An out-of-bounds read flaw exists in the X.Org X server and Xwayland within the __glXDisp_ChangeDrawableAttributes() function. This vulnerability arises from an incorrect size validation check that allows a client to read a number of bytes exceeding the request buffer, leading to information disclosure. The write path, which could lead to more severe consequences, requires byte-swapped clients, a configuration that is disabled by default. Affected versions include xorg-x11-server up to and including 21.1.22 and xorg-x11-server-Xwayland up to and including 24.1.9 [4].

Exploitation

An attacker can exploit this vulnerability by establishing a connection to the X server. Any X client that can connect to the server can trigger this issue. The attacker would then send a request that bypasses the size validation check in __glXDisp_ChangeDrawableAttributes(), causing the server to read beyond the allocated buffer [4].

Impact

The primary impact of this vulnerability is information disclosure due to the out-of-bounds read. An attacker can potentially read sensitive data from the server's memory. While a write path exists, it is less likely to be exploited as it requires byte-swapped clients, which are disabled by default. If exploited, the write path could lead to a server crash or privilege escalation if the X server is running with root privileges [4].

Mitigation

This vulnerability has been fixed upstream in xorg-server version 21.1.23 and xwayland version 24.1.12. The fix can be found at [3]. Users are advised to update to these fixed versions as soon as possible. No workarounds are mentioned in the available references. The X.Org Security Advisory was published on June 2, 2026 [2].