CVE-2026-50263
Description
A use-after-free vulnerability in X.Org X server and Xwayland allows information disclosure when a client manipulates window attributes and triggers the screen saver.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in X.Org X server and Xwayland allows information disclosure when a client manipulates window attributes and triggers the screen saver.
Vulnerability
A use-after-free read vulnerability exists in the CreateSaverWindow() function within the X.Org X server and Xwayland. This flaw affects X.Org X server versions prior to 21.1.23 and Xwayland versions prior to 24.1.12 [2, 4].
Exploitation
An attacker with the ability to connect to the X server as a client can trigger this vulnerability. The attacker must change window attributes and then force the screen saver to activate, leading to a use-after-free condition [2, 4].
Impact
Successful exploitation of this vulnerability allows an attacker to read freed memory, resulting in information disclosure. The scope of the compromise is limited to the privileges of the affected X client [4].
Mitigation
This vulnerability is fixed in X.Org X server version 21.1.23 and Xwayland version 24.1.12 [2, 4]. The fix was released on June 2, 2026 [2]. No workarounds are mentioned in the available references.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5News mentions
0No linked articles in our index yet.