CVE-2025-26595

NameCVE-2025-26595
DescriptionA buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1098906, 1098907

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u14vulnerable
bookworm, bookworm (security)2:21.1.7-3+deb12u8vulnerable
sid, trixie2:21.1.15-3vulnerable
xwayland (PTS)bookworm2:22.1.9-1vulnerable
sid, trixie2:24.1.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversource(unstable)(unfixed)1098906
xwaylandsource(unstable)(unfixed)1098907

Notes

[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg-announce/2025-February/003584.html
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda8753e994e15eb915d28cf487660ec8e722
Search for package or bug name: Reporting problems