X.Org Security Advisory released for 9 new vulnerabilities in X.Org X server and Xwayland

Developer Peter Hutterer released xorg-server 21.1.23 and xwayland 24.1.12 on June 2nd to patch nine security vulnerabilities, including multiple stack-based buffer overflows and use-after-free flaws. The issues, most discovered with assistance from TrendAI's Zero Day Initiative, could allow attackers to crash the X server or execute arbitrary code through crafted requests.

Here we are again - X.Org X server and Xwayland have new security issues that have been revealed and patched in new versions released. Announced by developer Peter Hutterer on June 2nd, xorg-server 21.1.23 and xwayland 24.1.12 have been released to fix up the problems along with some other minor bug fixes in each . Most of the issues were found with the help of TrendAI, so we're seeing AI help more and more with discovering security issues across various open source projects. We last had some security issues revealed back in April https://www.gamingonlinux.com/2026/04/x-org-x-server-and-xwayland-security-advisory-released-for-multiple-issues/ , and before that in October 2025 https://www.gamingonlinux.com/2025/10/new-security-advisory-released-for-x-org-x-server-and-xwayland-issues/ . From the mailing list these are the new issues noted: Font Alias Stack-based Buffer OverflowA mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07 Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30136 XSYNC Use-After-Free in miSyncDestroyFence A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30159 XKB Key Types Stack-based Buffer OverflowThe X server has multiple stack buffers that are sized XkbMaxShiftLevel XkbNumKbdGroups but CheckKeyTypes does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger three separate stack overflows. This is caused by an incomplete fix of CVE-2025-26597. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30160 XKB SetMap Request Stack-based Buffer Overflow XkbSetMapChecks declares a fixed-size stack buffer mapWidths 256 indexed by key type index. The helper function CheckKeyTypes writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30161 XSYNC Use-After-Free in FreeCounter A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30163 XSYNC Use-After-Free in SyncChangeCounter A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812 Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30164 GLX ChangeDrawableAttributes Out-Of-Bounds Read/WriteA wrong size validation check in glXDisp ChangeDrawableAttributes can read or write a client-controlled number of bytes, exceeding the request buffer. The write path requires byte-swapped clients which is disabled by default. The read can lead to information disclosure, the write can be used to crash the server, or for privilege escalation if the X server runs as root. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145 Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30165 CreateSaverWindow Use-After-Free Information DisclosureA client can trigger a use-after-free read after changing window attributes and forcing the screen saver. This can lead to information disclosure. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05 Found by: Anonymous working with TrendAI Zero Day Initiative. ZDI-CAN-30168 DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds WriteA client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. Fixed in: xorg-server-21.1.23 and xwayland-24.1.12 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8 Found by: Peter Hutterer, Red Hat. Source: Mailing List https://lists.x.org/archives/xorg-announce/2026-June/003702.html Some you may have missed, popular articles from the last month: All posts need to follow our rules https://www.gamingonlinux.com/index.php?module=rules . Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us https://www.gamingonlinux.com/email-us/ for any issues or concerns. Who? /index.php?module=who likes&comment id=295414 Who? /index.php?module=who likes&comment id=295416 not necessarily found because of AI. It is an initiative that has been going for much longer than AI has been around The company rebranded from Trend to TrendAI though . It is a system that allows people to essentially get paid for finding security flaws; it is a bug bounty program. I'm sure several ARE found with AI or the help of AI tools as TrendAI themselves do a huge amount of cybersecurity, some of which is with AI . But the bugs attributed to TrendAI may not even be from the company themselves - my understanding is essentially anyone can submit a found bug through this program. Because it pays the contributers, a much larger percentage of the bugs are going to be 'found' through TrendAI - if you find a bug, are you going to tell the organisation directly, or go through a method where you'll be rewarded for it? The initiative also works as a source of truth and trust for the organisations that use it - they're not going to be spammed with slop PRs for bugs that are already known, for example. Clearly AI is having a big impact on this however, as it feels like every single week a new vulnerability is found these days. Just something I wanted to share and feel important to mention The crux of this being that TrendAI aren't the only ones contributing to the TrendAI Zero Day Initiative. Who? /index.php?module=who likes&comment id=295427