CVE-2026-50264

Vulnerability

An out-of-bounds heap write vulnerability exists in the DRIGetBuffers/DRIGetBuffersWithFormat functions within the X.Org X server and Xwayland. This flaw is triggered when a client requests multiple DRI2BufferBackLeft attachments along with one DRI2BufferFrontLeft attachment. Affected versions include xorg-x11-server up to and including 21.1.22 and xorg-x11-server-Xwayland up to and including 24.1.9 [4].

Exploitation

An attacker with the ability to connect to the X server as a local client can exploit this vulnerability. The attacker must craft a request that includes multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft attachment to trigger the out-of-bounds write condition [4].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service by crashing the X server. Furthermore, if the X server is running with root privileges, this vulnerability may be leveraged for privilege escalation, allowing an attacker to gain elevated access to the system [4].

Mitigation

This vulnerability has been fixed upstream in xorg-server version 21.1.23 and xwayland version 24.1.12 [2, 4]. Users are advised to update to these fixed versions as soon as possible. No workarounds are mentioned in the available references. The X.Org X server and Xwayland are not listed as end-of-life products [2].