X.Org Server Out-of-Bounds Read Vulnerability (CVE-2026-50262) Disclosed in ZDI Advisory
A local out-of-bounds read vulnerability in X.Org Server's ChangeDrawableAttributes function could allow attackers to leak sensitive information after gaining low-privileged code execution.
A new vulnerability in X.Org Server has been disclosed by Zero Day Initiative as ZDI-26-396, tracked as CVE-2026-50262. The flaw resides in the ChangeDrawableAttributes function and is an out-of-bounds read issue that could allow local attackers to disclose sensitive information. The vulnerability carries a CVSS score of 5.5, indicating moderate severity.
The specific problem lies in the handling of the numAttribs field. The software fails to properly validate user-supplied data, which can result in a read past the end of an allocated data structure. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. Once exploited, the flaw can be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
X.Org has released a patch to address the vulnerability. The fix is available in the X.Org server repository via commit 6d459e4daf715bea8abdafa8fb130be2f8a1d145. Users are strongly advised to update their X.Org Server installations to the latest version to mitigate the risk.
The disclosure timeline shows that the vulnerability was reported to the vendor on April 17, 2026, and the coordinated public release of the advisory occurred on June 24, 2026. The vulnerability was credited to an anonymous researcher.
This vulnerability is part of a series of recent disclosures in X.Org Server, including a use-after-free vulnerability (CVE-2026-50263) disclosed earlier. While both affect the same software, they are distinct issues and require separate patches. Administrators should ensure all X.Org Server updates are applied promptly to maintain system security.