{"slug": "x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and", "title": "X.Org Security Advisory released for 9 new vulnerabilities in X.Org X server and Xwayland", "summary": "Developer Peter Hutterer released xorg-server 21.1.23 and xwayland 24.1.12 on June 2nd to patch nine security vulnerabilities, including multiple stack-based buffer overflows and use-after-free flaws. The issues, most discovered with assistance from TrendAI's Zero Day Initiative, could allow attackers to crash the X server or execute arbitrary code through crafted requests.", "body_md": "Here we are again - X.Org X server and Xwayland have new security issues that have been revealed and patched in new versions released.\n\nAnnounced by developer Peter Hutterer on June 2nd, xorg-server 21.1.23 and xwayland 24.1.12 have been released to fix up the problems (along with some other minor bug fixes in each). Most of the issues were found with the help of TrendAI, so we're seeing AI help more and more with discovering security issues across various open source projects.\n\nWe last had some security issues [revealed back in April](https://www.gamingonlinux.com/2026/04/x-org-x-server-and-xwayland-security-advisory-released-for-multiple-issues/), and before that in [October 2025](https://www.gamingonlinux.com/2025/10/new-security-advisory-released-for-x-org-x-server-and-xwayland-issues/).\n\nFrom the mailing list these are the new issues noted:\n\n* Font Alias Stack-based Buffer OverflowA mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30136)\n\n* XSYNC Use-After-Free in miSyncDestroyFence()A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30159)\n\n* XKB Key Types Stack-based Buffer OverflowThe X server has multiple stack buffers that are sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger three separate stack overflows.\n\nThis is caused by an incomplete fix of CVE-2025-26597.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30160)\n\n* XKB SetMap Request Stack-based Buffer Overflow_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30161)\n\n* XSYNC Use-After-Free in FreeCounter()A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30163)\n\n* XSYNC Use-After-Free in SyncChangeCounter()A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30164)\n\n* GLX ChangeDrawableAttributes Out-Of-Bounds Read/WriteA wrong size validation check in __glXDisp_ChangeDrawableAttributes() can read (or write) a client-controlled number of bytes, exceeding the request buffer.\n\nThe write path requires byte-swapped clients which is disabled by default.\n\nThe read can lead to information disclosure, the write can be used to crash the server, or for privilege escalation if the X server runs as root.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30165)\n\n* CreateSaverWindow Use-After-Free Information DisclosureA client can trigger a use-after-free read after changing window attributes and forcing the screen saver. This can lead to information disclosure.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05\n\nFound by: Anonymous working with TrendAI Zero Day Initiative.\n\n(ZDI-CAN-30168)\n\n* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds WriteA client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write.\n\nFixed in: xorg-server-21.1.23 and xwayland-24.1.12\n\nFix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f\n\nhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8\n\nFound by: Peter Hutterer, Red Hat.\n\nSource: [Mailing List](https://lists.x.org/archives/xorg-announce/2026-June/003702.html)\n\n**Some you may have missed, popular articles from the last month:**\n\n**All posts need to**\n\n[follow our rules](https://www.gamingonlinux.com/index.php?module=rules). Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also[email us](https://www.gamingonlinux.com/email-us/)for any issues or concerns.\n\n[Who?](/index.php?module=who_likes&comment_id=295414)\n\n[Who?](/index.php?module=who_likes&comment_id=295416)\n\n*not*necessarily found because of AI. It is an initiative that has been going for much longer than AI has been around (The company rebranded from Trend to TrendAI though).\n\nIt is a system that allows people to essentially get paid for finding security flaws; it is a bug bounty program. I'm sure several ARE found with AI or the help of AI tools (as TrendAI themselves do a huge amount of cybersecurity, some of which is with AI). But the bugs attributed to TrendAI may not even be from the company themselves - my understanding is essentially anyone can submit a found bug through this program.\n\nBecause it pays the contributers, a much larger percentage of the bugs are going to be 'found' through TrendAI - if you find a bug, are you going to tell the organisation directly, or go through a method where you'll be rewarded for it?\n\nThe initiative also works as a source of truth and trust for the organisations that use it - they're not going to be spammed with slop PRs for bugs that are already known, for example.\n\nClearly AI is having a big impact on this however, as it feels like every single week a new vulnerability is found these days.\n\nJust something I wanted to share and feel important to mention!\n\nThe crux of this being that TrendAI aren't the only ones contributing to the TrendAI Zero Day Initiative.\n\n[Who?](/index.php?module=who_likes&comment_id=295427)", "url": "https://wpnews.pro/news/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and", "canonical_source": "https://www.gamingonlinux.com/2026/06/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and-xwayland/", "published_at": "2026-06-02 07:41:18+00:00", "updated_at": "2026-06-03 07:05:17.948326+00:00", "lang": "en", "topics": ["ai-research", "ai-safety"], "entities": ["X.Org", "Xwayland", "Peter Hutterer", "TrendAI", "xorg-server", "libXfont2"], "alternates": {"html": "https://wpnews.pro/news/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and", "markdown": "https://wpnews.pro/news/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and.md", "text": "https://wpnews.pro/news/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and.txt", "jsonld": "https://wpnews.pro/news/x-org-security-advisory-released-for-9-new-vulnerabilities-in-x-org-x-server-and.jsonld"}}