CVE-2025-26595

NameCVE-2025-26595
DescriptionA buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4072-1, DSA-5872-1
Debian Bugs1098906, 1098907

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u15fixed
bookworm, bookworm (security)2:21.1.7-3+deb12u9fixed
sid, trixie2:21.1.16-1fixed
xwayland (PTS)bookworm2:22.1.9-1vulnerable
sid, trixie2:24.1.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversourcebullseye2:1.20.11-1+deb11u15DLA-4072-1
xorg-serversourcebookworm2:21.1.7-3+deb12u9DSA-5872-1
xorg-serversource(unstable)2:21.1.16-11098906
xwaylandsource(unstable)2:24.1.6-11098907

Notes

[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg-announce/2025-February/003584.html
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda8753e994e15eb915d28cf487660ec8e722
Search for package or bug name: Reporting problems