CVE-2026-34002

NameCVE-2026-34002
DescriptionA flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u17vulnerable
bookworm2:21.1.7-3+deb12u12fixed
bookworm (security)2:21.1.7-3+deb12u11vulnerable
trixie2:21.1.16-1.3+deb13u2fixed
trixie (security)2:21.1.16-1.3+deb13u1vulnerable
forky, sid2:21.1.22-1fixed
xwayland (PTS)bookworm2:22.1.9-1vulnerable
trixie2:24.1.6-1vulnerable
forky, sid2:24.1.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversourcebookworm2:21.1.7-3+deb12u12
xorg-serversourcetrixie2:21.1.16-1.3+deb13u2
xorg-serversource(unstable)2:21.1.22-1
xwaylandsource(unstable)2:24.1.10-1

Notes

[bullseye] - xorg-server <postponed> (Minor issue)
[trixie] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg-announce/2026-April/003677.html
fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c
Search for package or bug name: Reporting problems