CVE-2026-34003

NameCVE-2026-34003
DescriptionA flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u17vulnerable
bookworm, bookworm (security)2:21.1.7-3+deb12u11vulnerable
trixie (security), trixie2:21.1.16-1.3+deb13u1vulnerable
forky2:21.1.21-1vulnerable
sid2:21.1.22-1fixed
xwayland (PTS)bookworm2:22.1.9-1vulnerable
trixie2:24.1.6-1vulnerable
forky2:24.1.10-1fixed
sid2:24.1.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversource(unstable)2:21.1.22-1
xwaylandsource(unstable)2:24.1.10-1

Notes

[trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
[trixie] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg-announce/2026-April/003677.html
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae
Search for package or bug name: Reporting problems