An update for xorg-x11-server is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2681 Final 1.0 1.0 2026-06-12 Initial 2026-06-12 2026-06-12 openEuler SA Tool V1.0 2026-06-12 xorg-x11-server security update An update for xorg-x11-server is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4 X.Org X11 X server Security Fix(es): ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50256) ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50257) ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50258) ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50259) A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50260) A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50261) An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.(CVE-2026-50262) ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50263) An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50264) An update for xorg-x11-server is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High xorg-x11-server https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50256 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50257 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50258 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50259 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50260 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50261 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50262 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50263 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-50264 https://nvd.nist.gov/vuln/detail/CVE-2026-50256 https://nvd.nist.gov/vuln/detail/CVE-2026-50257 https://nvd.nist.gov/vuln/detail/CVE-2026-50258 https://nvd.nist.gov/vuln/detail/CVE-2026-50259 https://nvd.nist.gov/vuln/detail/CVE-2026-50260 https://nvd.nist.gov/vuln/detail/CVE-2026-50261 https://nvd.nist.gov/vuln/detail/CVE-2026-50262 https://nvd.nist.gov/vuln/detail/CVE-2026-50263 https://nvd.nist.gov/vuln/detail/CVE-2026-50264 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 xorg-x11-server-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-Xdmx-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-Xephyr-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-Xnest-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-Xvfb-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-common-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-debuginfo-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-debugsource-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-devel-1.20.11-45.oe2403sp1.aarch64.rpm xorg-x11-server-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-Xdmx-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-Xephyr-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-Xnest-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-Xvfb-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-common-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-debuginfo-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-debugsource-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-devel-1.20.11-45.oe2403sp3.aarch64.rpm xorg-x11-server-1.20.8-38.oe2003sp4.aarch64.rpm xorg-x11-server-Xephyr-1.20.8-38.oe2003sp4.aarch64.rpm xorg-x11-server-debuginfo-1.20.8-38.oe2003sp4.aarch64.rpm xorg-x11-server-debugsource-1.20.8-38.oe2003sp4.aarch64.rpm xorg-x11-server-devel-1.20.8-38.oe2003sp4.aarch64.rpm xorg-x11-server-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-Xdmx-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-Xephyr-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-Xnest-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-Xvfb-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-common-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-debuginfo-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-debugsource-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-devel-1.20.11-44.oe2203sp4.aarch64.rpm xorg-x11-server-1.20.11-45.oe2403sp1.src.rpm xorg-x11-server-1.20.11-45.oe2403sp3.src.rpm xorg-x11-server-1.20.8-38.oe2003sp4.src.rpm xorg-x11-server-1.20.11-44.oe2203sp4.src.rpm xorg-x11-server-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-Xdmx-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-Xephyr-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-Xnest-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-Xvfb-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-common-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-debuginfo-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-debugsource-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-devel-1.20.11-45.oe2403sp1.x86_64.rpm xorg-x11-server-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-Xdmx-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-Xephyr-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-Xnest-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-Xvfb-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-common-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-debuginfo-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-debugsource-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-devel-1.20.11-45.oe2403sp3.x86_64.rpm xorg-x11-server-1.20.8-38.oe2003sp4.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-38.oe2003sp4.x86_64.rpm xorg-x11-server-debuginfo-1.20.8-38.oe2003sp4.x86_64.rpm xorg-x11-server-debugsource-1.20.8-38.oe2003sp4.x86_64.rpm xorg-x11-server-devel-1.20.8-38.oe2003sp4.x86_64.rpm xorg-x11-server-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-Xdmx-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-Xephyr-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-Xnest-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-Xvfb-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-common-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-debuginfo-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-debugsource-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-devel-1.20.11-44.oe2203sp4.x86_64.rpm xorg-x11-server-help-1.20.11-45.oe2403sp1.noarch.rpm xorg-x11-server-source-1.20.11-45.oe2403sp1.noarch.rpm xorg-x11-server-help-1.20.11-45.oe2403sp3.noarch.rpm xorg-x11-server-source-1.20.11-45.oe2403sp3.noarch.rpm xorg-x11-server-help-1.20.8-38.oe2003sp4.noarch.rpm xorg-x11-server-help-1.20.11-44.oe2203sp4.noarch.rpm xorg-x11-server-source-1.20.11-44.oe2203sp4.noarch.rpm ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr 2026-06-12 CVE-2026-50256 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr 2026-06-12 CVE-2026-50257 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr 2026-06-12 CVE-2026-50258 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr 2026-06-12 CVE-2026-50259 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root. 2026-06-12 CVE-2026-50260 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root. 2026-06-12 CVE-2026-50261 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default. 2026-06-12 CVE-2026-50262 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 ['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in __glXDisp_ChangeDrawableAttributes()\n can read (or write) a client-contr 2026-06-12 CVE-2026-50263 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681 An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root. 2026-06-12 CVE-2026-50264 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H xorg-x11-server security update 2026-06-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2681